2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–005 SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 7 CFR section 272.10 requires that State agencies “sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” This includes: (1) processing and storing all case file information necessary for eligibility determination and benefit calculation, identifying specific elements that affect eligibility, and notifying the certification unit of cases requiring notices of disposition, adverse action and mass change, and expiration; (2) providing an automatic cutoff of participation for households that have not been recertified at the end of their certification period by reapplying and being determined eligible for a new period; and (3) generating data necessary to meet federal issuance and reconciliation reporting requirements. Condition: The Department of Health and Human Resources (DHHR) uses the Recipient Automated Payment Information Data System (RAPIDS) as its Automated Data Processing (ADP) system for SNAP. Our testing of the controls surrounding eligibility determination noted that no independent review and approval is required in RAPIDS for case information input by the case worker. Further, it was noted that review and approval of disbursements only occurs at the batch level, which does not allow the independent reviewer to review each transaction individually. Data integrity is a critical for the automation SNAP operations. Due to limitations of the ADP system for SNAP, the auditor was unable to conclude whether or not the State’s ADP system for SNAP (i.e., RAPIDS) was in compliance with requirements of 7 CFR section 272.10. Cause: Controls within the RAPIDS system are not designed to sufficiently protect the integrity of data input into the system. Effect or Potential Effect: The information related to the operations of the SNAP Cluster may not be appropriately maintained, processed or transmitted by the ADP system. Questioned Costs: N/A Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–002 Recommendation: We recommend that management establish the appropriate segregation of duties related to the review and approval of eligibility applications, in order to maintain effective IT general controls over the RAPIDS ADP system for SNAP. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–006 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200 requires that costs do not consist of improper payments, defined as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments). An improper payment also includes any payment that was made to an ineligible recipient or for an ineligible good or service, or payments for goods or services not received (except for such payments authorized by law).” Condition: During our testing of 40 cases for allowability for SNAP, we noted one emergency supplemental allotment payment to a recipient for a month that was not allowable. Cause: Internal controls are not adequately designed or implemented to prevent non-compliance surrounding the issuance of SNAP benefits. Effect or Potential Effect: Disbursements to recipients could be made that are not allowable. Questioned Costs: $463 Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–003 Recommendation: DHHR should ensure that all compliance requirements are reviewed to ensure the benefit amounts are accurate prior to disbursement. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–005 SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 7 CFR section 272.10 requires that State agencies “sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” This includes: (1) processing and storing all case file information necessary for eligibility determination and benefit calculation, identifying specific elements that affect eligibility, and notifying the certification unit of cases requiring notices of disposition, adverse action and mass change, and expiration; (2) providing an automatic cutoff of participation for households that have not been recertified at the end of their certification period by reapplying and being determined eligible for a new period; and (3) generating data necessary to meet federal issuance and reconciliation reporting requirements. Condition: The Department of Health and Human Resources (DHHR) uses the Recipient Automated Payment Information Data System (RAPIDS) as its Automated Data Processing (ADP) system for SNAP. Our testing of the controls surrounding eligibility determination noted that no independent review and approval is required in RAPIDS for case information input by the case worker. Further, it was noted that review and approval of disbursements only occurs at the batch level, which does not allow the independent reviewer to review each transaction individually. Data integrity is a critical for the automation SNAP operations. Due to limitations of the ADP system for SNAP, the auditor was unable to conclude whether or not the State’s ADP system for SNAP (i.e., RAPIDS) was in compliance with requirements of 7 CFR section 272.10. Cause: Controls within the RAPIDS system are not designed to sufficiently protect the integrity of data input into the system. Effect or Potential Effect: The information related to the operations of the SNAP Cluster may not be appropriately maintained, processed or transmitted by the ADP system. Questioned Costs: N/A Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–002 Recommendation: We recommend that management establish the appropriate segregation of duties related to the review and approval of eligibility applications, in order to maintain effective IT general controls over the RAPIDS ADP system for SNAP. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–006 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200 requires that costs do not consist of improper payments, defined as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments). An improper payment also includes any payment that was made to an ineligible recipient or for an ineligible good or service, or payments for goods or services not received (except for such payments authorized by law).” Condition: During our testing of 40 cases for allowability for SNAP, we noted one emergency supplemental allotment payment to a recipient for a month that was not allowable. Cause: Internal controls are not adequately designed or implemented to prevent non-compliance surrounding the issuance of SNAP benefits. Effect or Potential Effect: Disbursements to recipients could be made that are not allowable. Questioned Costs: $463 Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–003 Recommendation: DHHR should ensure that all compliance requirements are reviewed to ensure the benefit amounts are accurate prior to disbursement. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–005 SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 7 CFR section 272.10 requires that State agencies “sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” This includes: (1) processing and storing all case file information necessary for eligibility determination and benefit calculation, identifying specific elements that affect eligibility, and notifying the certification unit of cases requiring notices of disposition, adverse action and mass change, and expiration; (2) providing an automatic cutoff of participation for households that have not been recertified at the end of their certification period by reapplying and being determined eligible for a new period; and (3) generating data necessary to meet federal issuance and reconciliation reporting requirements. Condition: The Department of Health and Human Resources (DHHR) uses the Recipient Automated Payment Information Data System (RAPIDS) as its Automated Data Processing (ADP) system for SNAP. Our testing of the controls surrounding eligibility determination noted that no independent review and approval is required in RAPIDS for case information input by the case worker. Further, it was noted that review and approval of disbursements only occurs at the batch level, which does not allow the independent reviewer to review each transaction individually. Data integrity is a critical for the automation SNAP operations. Due to limitations of the ADP system for SNAP, the auditor was unable to conclude whether or not the State’s ADP system for SNAP (i.e., RAPIDS) was in compliance with requirements of 7 CFR section 272.10. Cause: Controls within the RAPIDS system are not designed to sufficiently protect the integrity of data input into the system. Effect or Potential Effect: The information related to the operations of the SNAP Cluster may not be appropriately maintained, processed or transmitted by the ADP system. Questioned Costs: N/A Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–002 Recommendation: We recommend that management establish the appropriate segregation of duties related to the review and approval of eligibility applications, in order to maintain effective IT general controls over the RAPIDS ADP system for SNAP. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–006 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200 requires that costs do not consist of improper payments, defined as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments). An improper payment also includes any payment that was made to an ineligible recipient or for an ineligible good or service, or payments for goods or services not received (except for such payments authorized by law).” Condition: During our testing of 40 cases for allowability for SNAP, we noted one emergency supplemental allotment payment to a recipient for a month that was not allowable. Cause: Internal controls are not adequately designed or implemented to prevent non-compliance surrounding the issuance of SNAP benefits. Effect or Potential Effect: Disbursements to recipients could be made that are not allowable. Questioned Costs: $463 Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–003 Recommendation: DHHR should ensure that all compliance requirements are reviewed to ensure the benefit amounts are accurate prior to disbursement. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–008 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Housing and Urban Development Community Development Block Grants/State’s Program and Non-Entitlement Gants in Hawaii 14.228, Grant Award B15DC540001, Grant Award B16DL540001 #2, Grant Award B15DC540001, Grant Award B16DC540001, Grant Award B17DC540001, Grant Award B18DC540001, Grant Award B19DC540001, Grant Award B20DC540001, Grant Award B20DW540001, Grant Award B21DC540001 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that the reports were not submitted by the State of West Virginia Community Development Block Grant program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting requirements by CDBG management caused the reports required for first-tier subawards over $30,000 to not be submitted timely to the FFATA Subaward Reporting System, and to have missing/incorrect information reported. Effect or Potential Effect: CDBG management did not report the necessary FFATA reports for first-tier subawards over $30,000 to The FFATA Subaward Reporting System accurately or in a timely fashion. Questioned Costs: N/A Context: Subawards for the CDBG program included 19 subawards that totaled $21,829,101 for the year ended June 30, 2023. The five subawards tested that were not reported to the FFATA Subaward Reporting System timely were $18,302,375. Total expenditures for the CDBG program were $29,946,440 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–005 Recommendation: We recommend that CDBG management take immediate action to ensure compliance with the reporting requirements of the Federal Funding Accountability and Transparency Act, which includes the timely submission of the reports and accurate information. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–008 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Housing and Urban Development Community Development Block Grants/State’s Program and Non-Entitlement Gants in Hawaii 14.228, Grant Award B15DC540001, Grant Award B16DL540001 #2, Grant Award B15DC540001, Grant Award B16DC540001, Grant Award B17DC540001, Grant Award B18DC540001, Grant Award B19DC540001, Grant Award B20DC540001, Grant Award B20DW540001, Grant Award B21DC540001 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that the reports were not submitted by the State of West Virginia Community Development Block Grant program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting requirements by CDBG management caused the reports required for first-tier subawards over $30,000 to not be submitted timely to the FFATA Subaward Reporting System, and to have missing/incorrect information reported. Effect or Potential Effect: CDBG management did not report the necessary FFATA reports for first-tier subawards over $30,000 to The FFATA Subaward Reporting System accurately or in a timely fashion. Questioned Costs: N/A Context: Subawards for the CDBG program included 19 subawards that totaled $21,829,101 for the year ended June 30, 2023. The five subawards tested that were not reported to the FFATA Subaward Reporting System timely were $18,302,375. Total expenditures for the CDBG program were $29,946,440 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–005 Recommendation: We recommend that CDBG management take immediate action to ensure compliance with the reporting requirements of the Federal Funding Accountability and Transparency Act, which includes the timely submission of the reports and accurate information. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–009 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020, Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: For three of four subawards selected for testing, the West Virginia Department of Environmental Protection (the Department) was not in compliance with FFATA reporting requirements. The following table summarizes the exceptions noted during testing. There were no internal controls in place surrounding review and approval of the FFATA reports. Cause: The Department does not have adequate internal controls and policies and procedures in place to ensure that subawards of $30,000 or more are being reported accurately to FSRS. Effect or Potential Effect: The Department is not reporting accurate information for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Abandoned Mine Land Reclamation (AMLR) Grants program were $29,631,143 and $12,283,714, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–010 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020, Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.302(b)(2) “Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329.” Condition: The West Virginia Department of Environmental Protection (the Department) is responsible for preparing the SF-425 and SF-425A. There were errors in reporting on the SF-425 reports where receipts and disbursements reported did not agree to the underlying data used to prepare the reports. In addition, the Department did not file the SF-425A reports as required. There were no internal controls in place surrounding review and approval of the financial reports. Cause: The Department does not have adequate internal controls and policies and procedures in place to ensure that reports contain accurate financial information and are submitted as required. Effect or Potential Effect: The Department is not reporting accurate information for the SF-425 reports and is not submitting the SF-425A reports causing them not to be in compliance with federal reporting requirements over financial reports. Questioned Costs: Unknown Context: We selected five SF-425 reports for testing and noted errors in all the reports. We selected five SF-425A reports for testing and noted the reports were not filed. Total federal expenditures for the AMLR Grants program were $29,631,143 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department strengthen internal controls and policies and procedures over financial reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–011 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020, Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(b) requires that all pass-through entities must: (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). Condition: We noted that the West Virginia Department of Environmental Protection (the Department) did not perform a subrecipient risk assessment. Therefore, the Department was unable to provide documentation supporting that the level of monitoring to be completed for each subrecipient was appropriate based on the risk assessment. Cause: The Department does not have policies and procedures in place surrounding the subrecipient monitoring compliance requirements and a risk assessment of subrecipients was not performed during the current fiscal year. Effect or Potential Effect: The Department does not have proper internal controls in place to ensure risk assessments are performed annually for all subrecipients. Questioned Costs: Unknown Context: Total federal expenditures and total subrecipient expenditures for the AMLR Grants program were $29,631,143 and $12,283,714, respectively, for the year ended June 30, 2023. There were 24 subrecipients during the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department implement written policies and procedures to perform an annual risk assessment of subrecipients to determine the proper extent of monitoring procedures. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–012 REPORTING - SCHEDULE OF EXPENDITURES OF FEDERAL AWARDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) Grants 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020. Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Uniform Guidance 2 CFR section 200.510 states, “(b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of federal awards (SEFA) for the period covered by the auditee’s financial statements which must include the total Federal awards expended as determined in accordance with §200.502 Basis for determining Federal awards expended.” Condition: The West Virginia Department of Environmental Protection (the Department)’s internal controls are not adequate to ensure the Schedule of Expenditures of Federal Awards (SEFA) accurately reports all federal assistance. The Department’s SEFA for fiscal year 2023 under the Abandoned Mine Land Reclamation (AMLR) Grants program excluded indirect costs preliminary SEFA. Cause: The internal controls over the SEFA reporting processes were not operating effectively to ensure the SEFA included indirect costs. Effect or Potential Effect: The Department is not properly reporting their federal expenditures and major programs may not be appropriately identified. Questioned Costs: N/A Context: Total indirect costs for fiscal 2023, totaling $1,592,074, were incorrectly excluded from the SEFA. Management corrected the final SEFA. Total federal expenditures for the AMLR Grants program were $31,223,217 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department ensure staff responsible for the preparation of the SEFA be provided guidance on recording indirect expenses on the SEFA and the SEFA be reviewed and approved by supervising personnel. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–013 INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Labor Unemployment Insurance (UI) 17.225, Grant Award UI-38244-22-55-A-54, Grant Award UI-34749-20-55-A-54, Grant Award UI-39304-23-55-A-54, Grant Award UI-37257-22-55-A-54, Grant Award UI-39356-23-55-A-54, Grant Award UI-38014-22-60-A-54
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Workforce West Virginia (WWV) does not perform periodic documented reviews of administrator access changes to the Automated Benefit Payment System (ABPS) or the Unemployment Compensation Tax applications (UC Tax). A user access review is performed periodically for ABPS and UC Tax, however the review is not documented. Employee terminations were not being communicated timely to the West Virginia Office of Technology (WVOT) to remove network access or within the organization to remove access to ABPS and UC Tax. The current process to remove terminated employees does not allow for the documentation of all applications requiring access removal. WWV has not performed periodic disaster recovery testing for WWV owned applications. WWV did not perform a timely review of the SOC report for wvOASIS and documentation did not include reviewing and determining if the required complementary user entity controls were in place. Additionally, complementary user entity controls were not in place. Cause: The internal controls over the information technology processes were not adequately designed or implemented. Effect or Potential Effect: Unauthorized access to critical information systems may occur and not be detected or resolved in a timely manner causing WWV to be in noncompliance.
WWV may not be able to effectively respond to a disaster and recover pertinent data. Questioned Costs: N/A Context: Total federal disbursements for the UI program were $138,362,181 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–008 and 2021–005 Recommendation: WWV should implement policies and procedures that include monitoring the information systems and systems controls reports. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–014 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Labor Unemployment Insurance (UI) 17.225, Grant Award UI-38244-22-55-A-54, Grant Award UI-34749-20-55-A-54, Grant Award UI-39304-23-55-A-54, Grant Award UI-37257-22-55-A-54, Grant Award UI-9356-23-55-A-54, Grant Award UI-38014-22-60-A-54 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The following reports tested were not reviewed and approved prior to submission: 1) ) one of the four Employment and Training Administration “ETA” 9050 reports 2) two of the four ETA 9052 reports, and 3) one of the four ETA 9055 reports. Cause: The internal controls over the individual reporting processes were not adequately enforced or documented. Effect and Potential Effect: Reports could be filed with errors or lack of supporting documentation and not be identified by management. Questioned Costs: N/A Context: Total federal disbursements for the UI program were $138,362,181 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–007 and 2021–006 Recommendation: We recommend that WWV implement internal controls over the report submission process, to ensure each report is reviewed and approved by appropriate individuals familiar with the reporting requirements to ensure that accurate information is reported. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–015 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Transportation National Infrastructure Investments 20.933, Grant Award 693JJ22040000BDG0WV0522045, Grant Award 693JJ22040000BDG0WV0484326, Grant Award 693JJ22140000BDG3WV0641399, Grant Award 693JJ22240000BDG6WV0793309 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The terms and conditions of the grant awards require the recipient to submit various financial and performance reports, including Quarterly Project Progress Reports and Pre-Project Performance Measurement Reports. Condition: The West Virginia Division of Highways (the Division) could not provide documentation that the Quarterly Project Progress Reports and Pre-project Performance Measurement Report, that were required to be submitted during the fiscal year under audit, were filed. Cause: The Division does not have proper policies and procedures in place surrounding the reporting compliance requirements. Effect or Potential Effect: The Division could not provide documentation that required reports were submitted to the federal awarding agency in accordance with the grant awards. Questioned Costs: Unknown Context: There was one Pre-project Performance Measurement Report and 15 Quarterly Project Progress Reports required to be filed in fiscal year 2023. Total federal expenditures for the National Infrastructure Investments program were $35,831,611 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Division implement policies and procedures surrounding reporting to ensure compliance with all conditions of the grant awards. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–016 SPECIAL TESTS AND PROVISIONS - NOTIFICATION OF CHANGES TO KEY PERSONNEL
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Transportation National Infrastructure Investments 20.933, Grant Award 693JJ22040000BDG0WV0522045, Grant Award 693JJ22040000BDG0WV0484326, Grant Award 693JJ22140000BDG3WV0641399, Grant Award 693JJ22240000BDG6WV0793309 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The terms and conditions of the grant awards require the recipient to notify all U.S. Department of Transportation (USDOT) representatives, noted in the grant agreement, in writing within 30 calendar days of any change in key personnel. Condition: The West Virginia Division of Highways (the Division) could not provide documentation that the USDOT was made aware of changes in key personnel within 30 calendar days. Cause: The Division does not have proper policies and procedures in place over the notification of changes to key personnel requirements. Effect or Potential Effect: The Division is not in compliance with the provisions of the grant awards since changes to key personnel were not communicated in writing to the USDOT within 30 calendar days. Questioned Costs: Unknown Context: There were three grants that had a change in key personnel; the change in key personnel was not communicated to the USDOT. Total federal expenditures for the National Infrastructure Investments program were $35,831,611 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Division implement policies and procedures surrounding the notification of changes to key personnel requirements to ensure compliance with all conditions of the grant awards. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–025 SPECIAL TESTS AND PROVISIONS – PERKINS LOAN RECORDKEEPING AND RECORD RETENTION (N7)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.038
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As stated in the 2023 OMB Compliance Supplement (34 CFR 674.19), “when an institution uses a third-party servicer for its Perkins Loan program, the institution must perform due diligence to ensure that the third-party servicer is in compliance with the requirements for the functions the third-party servicer is performing for the institution. Such due diligence could include obtaining and reviewing the third-party servicer’s most recent Title IV compliance audit.” 34 CFR 674.19(e)(2) states “an institution shall retain a record of disbursements for each loan made to a borrower on a Master Promissory Note (MPN). This record must show the date and amount of each disbursement.” 34 CFR 674.19(e)(4) states “Manner of retention of promissory notes and repayment schedules. An institution shall keep the original promissory notes and repayment schedules until the loans are satisfied. If required to release original documents in order to enforce the loan, the institution must retain certified true copies of those documents. (i) An institution shall keep the original paper promissory note or original paper MPN and repayment schedules in a locked, fireproof container. (ii) If a promissory note was signed electronically, the institution must store it electronically and the promissory note must be retrievable in a coherent format. An original electronically signed MPN must be retained by the institution for 3 years after all the loans made on the MPN are satisfied. (iii) After the loan obligation is satisfied, the institution shall return the original or a true and exact copy of the note marked “paid in full” to the borrower, or otherwise notify the borrower in writing that the loan is paid in full, and retain a copy for the prescribed period.” Condition: Concord University (CU), Marshall University (MU), Shepherd University (SU), West Liberty University (WLU), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University (WVU) did not maintain sufficient evidence of the due diligence review performed over their third-party servicer of its Federal Perkins Loan Program portfolio. While the schools obtained the third-party servicer’s Title IV compliance audit report, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2), the schools did not retain documentation showing what specific items were reviewed or what conclusions were reached related to the servicers compliance with the requirements they were contracted for. For six of 40 Perkins loans sampled, WVU could not provide a copy of the MPN. Cause: CU, MU, SU, WLU, WVSOM and WVU did not have effective internal controls in place requiring retention of the due diligence review performed. WVU did not have adequate internal controls in place over the retention of Perkins loan records, specifically, MPNs. Effect or Potential Effect: The third-party servicer could be out of compliance with federal regulations and have ineffective internal controls which could impact the school’s compliance with the Federal Perkins Loan Program requirements. In addition, WVU is in noncompliance with federal Perkins loan recordkeeping and record retention requirements. Questioned Costs: None Context: CU, MU, SU, WLU, WVSOM, and WVU had Federal Perkins Loan Program expenditures of $1,096,355, $2,246,751, $60,304, $1,076,806, $482,984, and $8,147,751, respectively. Total Federal Perkins Loan Program expenditures were $13,183,684 for the year ended June 30, 2023. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should retain all relevant documentation used in performing the due diligence review, including the specific items reviewed and the conclusions reached. In addition, WVU should ensure it is retaining the required Perkins loan program records for the timeframe required per federal regulations. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–018 INTERNAL CONTROLS OVER FINANCIAL REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: In our control testing, Pierpont Community and Technical College (PCTC) could not provide adequate documentation of controls in place over Pell Common Origination and Disbursement (COD) reconciliations conducted prior to October 2022 to ensure the data reported is complete, accurate, and prepared in accordance with the required instructions. Effective controls were implemented with the reconciliation for October and remained in effect the remainder of the audit period. Cause: PCTC’s policies and procedures did not require adequate documentation be maintained to demonstrate that controls are operating effectively prior to October 2022. Effect or Potential Effect: The U.S. Department of Education could receive incorrect Pell or Direct Loan payment data. Questioned Costs: N/A Context: Total Direct Loans and Pell expenditures for PCTC were $4,201,839 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–014 and 2021–020 Recommendation: We recommend that PCTC continues to use the policies and procedures implemented for reconciliations performed for October 2022 and after. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–026 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – ENROLLMENT REPORTING (N5)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Internal controls over the review and approval of the enrollment report sent to the National Student Clearinghouse (NSC) were not adequately designed or operating effectively for Bluefield State University (BSU), Blueridge Community and Technical College (BRCTC), Concord University (CU), Fairmont State University (FSU), Marshall University (MU), Mountwest Community and Technical College (MCTC), New River Community and Technical College (NRCTC), Pierpont Community and Technical College (PPCTC), Shepherd University (SU), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia State University (WVSU), West Virginia University (WVU), and West Virginia University at Parkersburg (WVUP). For the enrollment reporting transmissions tested for internal controls, we noted the following: * Final review and approval signoff to submit the enrollment report to NSC, the third-party used in the enrollment reporting process, was not consistently retained by the institution (BSU, BRCTC, PCTC, WLU, WVNCC, WVSU) * A record count reconciliation between the final enrollment report, text file and the number of files received by the NSC, including documentation over how any rejected records were addressed, was not retained. (BSU, BRCTC, CU, FSU, MU, MCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVU, WVUP) * Details of the validation of student information included in the enrollment report for accuracy was not consistently retained by the institution. (BSU, FSU, MU, MCTC, NRCTC, WVSU) * The NSC automated emails used as a quality checklist regarding due dates, receipt of the text file by the NSC, availability and completion of the Error Resolution Report, and confirmation of certification and processing by the NSC were not consistently retained by the institution (BSU, BRCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVUP) Cause: The institutions did not have adequately designed internal controls in place surrounding the enrollment reporting process. Effect or Potential Effect: The institutions may not promptly notify the National Student Loan Data System (NSLDS) of changes in student status in an accurate and complete manner; thus, inaccurate, or incomplete information could be reported to the NSLDS. Questioned Costs: None Context: The total expenditures for the SFA Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–012 and 2021–016 Recommendation: Documentation over the review and approval of the enrollment report for accuracy and completeness should be retained to evidence the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–018 INTERNAL CONTROLS OVER FINANCIAL REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: In our control testing, Pierpont Community and Technical College (PCTC) could not provide adequate documentation of controls in place over Pell Common Origination and Disbursement (COD) reconciliations conducted prior to October 2022 to ensure the data reported is complete, accurate, and prepared in accordance with the required instructions. Effective controls were implemented with the reconciliation for October and remained in effect the remainder of the audit period. Cause: PCTC’s policies and procedures did not require adequate documentation be maintained to demonstrate that controls are operating effectively prior to October 2022. Effect or Potential Effect: The U.S. Department of Education could receive incorrect Pell or Direct Loan payment data. Questioned Costs: N/A Context: Total Direct Loans and Pell expenditures for PCTC were $4,201,839 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–014 and 2021–020 Recommendation: We recommend that PCTC continues to use the policies and procedures implemented for reconciliations performed for October 2022 and after. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–026 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – ENROLLMENT REPORTING (N5)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Internal controls over the review and approval of the enrollment report sent to the National Student Clearinghouse (NSC) were not adequately designed or operating effectively for Bluefield State University (BSU), Blueridge Community and Technical College (BRCTC), Concord University (CU), Fairmont State University (FSU), Marshall University (MU), Mountwest Community and Technical College (MCTC), New River Community and Technical College (NRCTC), Pierpont Community and Technical College (PPCTC), Shepherd University (SU), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia State University (WVSU), West Virginia University (WVU), and West Virginia University at Parkersburg (WVUP). For the enrollment reporting transmissions tested for internal controls, we noted the following: * Final review and approval signoff to submit the enrollment report to NSC, the third-party used in the enrollment reporting process, was not consistently retained by the institution (BSU, BRCTC, PCTC, WLU, WVNCC, WVSU) * A record count reconciliation between the final enrollment report, text file and the number of files received by the NSC, including documentation over how any rejected records were addressed, was not retained. (BSU, BRCTC, CU, FSU, MU, MCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVU, WVUP) * Details of the validation of student information included in the enrollment report for accuracy was not consistently retained by the institution. (BSU, FSU, MU, MCTC, NRCTC, WVSU) * The NSC automated emails used as a quality checklist regarding due dates, receipt of the text file by the NSC, availability and completion of the Error Resolution Report, and confirmation of certification and processing by the NSC were not consistently retained by the institution (BSU, BRCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVUP) Cause: The institutions did not have adequately designed internal controls in place surrounding the enrollment reporting process. Effect or Potential Effect: The institutions may not promptly notify the National Student Loan Data System (NSLDS) of changes in student status in an accurate and complete manner; thus, inaccurate, or incomplete information could be reported to the NSLDS. Questioned Costs: None Context: The total expenditures for the SFA Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–012 and 2021–016 Recommendation: Documentation over the review and approval of the enrollment report for accuracy and completeness should be retained to evidence the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–028 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF) ESF Section 1 – Elementary and Secondary Education COVID-19 84.425C COVID-19 84.425D
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that eight (8) reports were not submitted by the State of West Virginia. In addition, for 1 of the 9 reports that was submitted, there was not adequate documentation to support an appropriate level of review and approval of the FFATA report.
Cause: The original grant funding from the U.S. Department of Education was received by the Office of the Governors of the State of West Virginia. These funds were in turn passed through to the State of West Virginia Department of Education (WVDE) which subsequently passed through a portion of the funding to the Local Educational Agencies (subrecipients). WVDE did not notify the Office of the Governor that the monies were passed to subrecipients and the FAFTA report was not filed. In addition, documentation to support internal controls review was not provided for the 1 report that was submitted during the year. Effect or Potential Effect: The State of West Virginia did not report the necessary FFATA report for the Education Stabilization Fund first-tier subawards over $30,000 to the FFATA Subaward Reporting System. Questioned Costs: N/A Context: We tested 9 FFATA reports related to subawards with grant funding amount of $4,030,511. of which 8 FFATA reports were not submitted that totaled $2,750,250. The federal expenditures for the Education Stabilization Fund program for the fiscal year ended June 30, 2023 were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022–025 Recommendation: We recommend that WVDE strengthen internal controls and procedures over communication with the Office of the Governor related to FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–028 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF) ESF Section 1 – Elementary and Secondary Education COVID-19 84.425C COVID-19 84.425D
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that eight (8) reports were not submitted by the State of West Virginia. In addition, for 1 of the 9 reports that was submitted, there was not adequate documentation to support an appropriate level of review and approval of the FFATA report.
Cause: The original grant funding from the U.S. Department of Education was received by the Office of the Governors of the State of West Virginia. These funds were in turn passed through to the State of West Virginia Department of Education (WVDE) which subsequently passed through a portion of the funding to the Local Educational Agencies (subrecipients). WVDE did not notify the Office of the Governor that the monies were passed to subrecipients and the FAFTA report was not filed. In addition, documentation to support internal controls review was not provided for the 1 report that was submitted during the year. Effect or Potential Effect: The State of West Virginia did not report the necessary FFATA report for the Education Stabilization Fund first-tier subawards over $30,000 to the FFATA Subaward Reporting System. Questioned Costs: N/A Context: We tested 9 FFATA reports related to subawards with grant funding amount of $4,030,511. of which 8 FFATA reports were not submitted that totaled $2,750,250. The federal expenditures for the Education Stabilization Fund program for the fiscal year ended June 30, 2023 were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022–025 Recommendation: We recommend that WVDE strengthen internal controls and procedures over communication with the Office of the Governor related to FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–030 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425U; Grant Award – S425U210036, Grant Award – S425D210036, Grant Award – S425D200036 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Department of Education must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Education (WVDE) paid a Local Educational Agency invoice amounting to $566,340 for which the good or service was not received or was only partially received. Cause: WVDE paid invoices to a Local Educational Agency that has not followed the appropriate procurement procedures. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $566,340 Context: Total federal expenditures for the Education Stabilization Fund program were $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that WVDE strengthen its internal controls over subrecipient monitoring to ensure that all invoices are accurate and that costs are for appropriately procured and eligible good or service under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–033 CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425E, F, J; Grant Award P425J200063, Grant Award P425E201113, Grant Award P425F201736, Grant Award P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” For CRRSAA, HEERF II and ARP HEERF III, the Certification and Agreements and/or Supplemental Agreements requires that Student Aid Portion (Assistance Listing 84.425E) should be disbursed within 15 calendar days of the drawdown from ED’s G5 grants system and Institutional Aid Portion, (a)(2), and (a)(3) funds (all other ALNs) should be disbursed within three calendar days of the drawdown from G5. For lost revenue, the “obligation” occurs on the date the institution completes its estimate of its amount of lost revenue after the estimation period. Condition: For three disbursement samples for Bluefield State College (BSC) we noted that the disbursements did not occur within 3 calendar days of the drawdown from ED’s G5 grants system. In addition, during our review of the schedule of expenditures of federal awards, we noted West Virginia State University (WVSU) had an ending cash balance of $397,412 at June 30, 2023. Cause: BSC incurred the expenses and performed the drawdown from the ED’s G5 grants system. Three of the expenses were paid by the State of West Virginia on behalf of Bluefield State College and these expenses were initially rejected by the State auditor and while subsequently resolved and paid, the timing caused the time lag between the drawdown date and the payment date to be outside of the allowed 3 calendar days. WVSU did not have adequate internal controls in place to ensure a thorough review of cash balance on hand was performed prior to performing drawdowns from the ED’s G5 grants system. Effect or Potential Effect: BSC was not incompliance with the requirement to disburse funds within 3 days of the drawdown from G5. WVSU has over drawn funds under the HEERF program resulting in an ending cash balance at June 30, 2023. Consequently, this resulted in a violation of the cash management rules. Questioned Costs: $397,412 (Grant Award No’s: P425E201113, P425F201736, P425J200056 Context: Total BSC expenditures for the HEERF were $5,959,981 and the total WVSU expenditures for the HEERF were $13,084,264 representing 1.8% and 4.0%, respectively of the total Education Stabilization Fund and HEERF (84.425) expenditures of $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–024 Recommendation: Management of BSC and WVSU should enhance its internal controls to ensure funds are disbursed within the stipulated time frame and/or drawdown funds after the expenditures have been disbursed. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–032 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425F, Grant Award P425F201180 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our testing of allowability at West Liberty University (WLU), we noted $1,017,478 was disbursed in student aid payments from the HEERF institutional funds. The detail report on student enrollment and outstanding balances was generated from Banner and downloaded into an excel file. WLU did not retain the detail Banner report or report parameters used to run the report, therefore, we could not support the completeness and accuracy of the report. In addition, in our allowability testing we noted 1 instance where the appropriate review and approval of the costs charged to the HEERF program was not noted. Cause: Management did not retain the supporting documentation for the detail Banner report on student enrollment or outstanding balances. For the 1 instance there was no documentation to support that the review of the expenditure for allowability was performed. Effect or Potential Effect: There is a risk that the report on student enrollment and outstanding balances generated from the Banner system is inaccurate or incomplete. This may further lead to improper amounts applied to the student’s accounts. In addition, lack of an appropriate review and approval of expenditures could potentially lead to unallowable costs charged to the program. Questioned Costs: None Context: Total HEERF expenditures for WLU was $3,298,313 for the year ended June 30, 2023. The total expenditures for the HEERF program for the year ended June 30, 2023 were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022–023 Recommendation: We recommend Management retain the supporting Banner reports and report parameters to support the accuracy and completeness of the data.
In addition, we recommend Management to document the review and approval of costs charged to the HEERF program. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–033 CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425E, F, J; Grant Award P425J200063, Grant Award P425E201113, Grant Award P425F201736, Grant Award P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” For CRRSAA, HEERF II and ARP HEERF III, the Certification and Agreements and/or Supplemental Agreements requires that Student Aid Portion (Assistance Listing 84.425E) should be disbursed within 15 calendar days of the drawdown from ED’s G5 grants system and Institutional Aid Portion, (a)(2), and (a)(3) funds (all other ALNs) should be disbursed within three calendar days of the drawdown from G5. For lost revenue, the “obligation” occurs on the date the institution completes its estimate of its amount of lost revenue after the estimation period. Condition: For three disbursement samples for Bluefield State College (BSC) we noted that the disbursements did not occur within 3 calendar days of the drawdown from ED’s G5 grants system. In addition, during our review of the schedule of expenditures of federal awards, we noted West Virginia State University (WVSU) had an ending cash balance of $397,412 at June 30, 2023. Cause: BSC incurred the expenses and performed the drawdown from the ED’s G5 grants system. Three of the expenses were paid by the State of West Virginia on behalf of Bluefield State College and these expenses were initially rejected by the State auditor and while subsequently resolved and paid, the timing caused the time lag between the drawdown date and the payment date to be outside of the allowed 3 calendar days. WVSU did not have adequate internal controls in place to ensure a thorough review of cash balance on hand was performed prior to performing drawdowns from the ED’s G5 grants system. Effect or Potential Effect: BSC was not incompliance with the requirement to disburse funds within 3 days of the drawdown from G5. WVSU has over drawn funds under the HEERF program resulting in an ending cash balance at June 30, 2023. Consequently, this resulted in a violation of the cash management rules. Questioned Costs: $397,412 (Grant Award No’s: P425E201113, P425F201736, P425J200056 Context: Total BSC expenditures for the HEERF were $5,959,981 and the total WVSU expenditures for the HEERF were $13,084,264 representing 1.8% and 4.0%, respectively of the total Education Stabilization Fund and HEERF (84.425) expenditures of $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–024 Recommendation: Management of BSC and WVSU should enhance its internal controls to ensure funds are disbursed within the stipulated time frame and/or drawdown funds after the expenditures have been disbursed. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–031 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425J, Grant Award –P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia State University (WVSU) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: In our testing of payroll expenditures charged to the HEERF, we noted 7 transactions for which the employee’s time sheets were not approved. Cause: WVSU does not have proper internal controls in place to ensure that timesheets are approved by the employee’s supervisor/manager. Effect or Potential Effect: Potentially incorrect or unallowable costs could be charged to the federal program. Questioned Costs: None Context: We tested a total of 40 payroll transactions (total costs of $91,515) for the WVSU and for 7 payroll transactions (totaling $19,645), timesheets were not approved by the employee’s supervisor or manager. Total payroll expenditures charged to HEERF in fiscal year 2023 was $8,706,376. The total expenditures for the HEERF program is $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: This finding is not a repeat finding from prior year. Recommendation: We recommend that WVSU strengthen its internal controls to ensure that all timesheets are approved to ensure allowable costs are charged under the federal program. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–033 CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425E, F, J; Grant Award P425J200063, Grant Award P425E201113, Grant Award P425F201736, Grant Award P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” For CRRSAA, HEERF II and ARP HEERF III, the Certification and Agreements and/or Supplemental Agreements requires that Student Aid Portion (Assistance Listing 84.425E) should be disbursed within 15 calendar days of the drawdown from ED’s G5 grants system and Institutional Aid Portion, (a)(2), and (a)(3) funds (all other ALNs) should be disbursed within three calendar days of the drawdown from G5. For lost revenue, the “obligation” occurs on the date the institution completes its estimate of its amount of lost revenue after the estimation period. Condition: For three disbursement samples for Bluefield State College (BSC) we noted that the disbursements did not occur within 3 calendar days of the drawdown from ED’s G5 grants system. In addition, during our review of the schedule of expenditures of federal awards, we noted West Virginia State University (WVSU) had an ending cash balance of $397,412 at June 30, 2023. Cause: BSC incurred the expenses and performed the drawdown from the ED’s G5 grants system. Three of the expenses were paid by the State of West Virginia on behalf of Bluefield State College and these expenses were initially rejected by the State auditor and while subsequently resolved and paid, the timing caused the time lag between the drawdown date and the payment date to be outside of the allowed 3 calendar days. WVSU did not have adequate internal controls in place to ensure a thorough review of cash balance on hand was performed prior to performing drawdowns from the ED’s G5 grants system. Effect or Potential Effect: BSC was not incompliance with the requirement to disburse funds within 3 days of the drawdown from G5. WVSU has over drawn funds under the HEERF program resulting in an ending cash balance at June 30, 2023. Consequently, this resulted in a violation of the cash management rules. Questioned Costs: $397,412 (Grant Award No’s: P425E201113, P425F201736, P425J200056 Context: Total BSC expenditures for the HEERF were $5,959,981 and the total WVSU expenditures for the HEERF were $13,084,264 representing 1.8% and 4.0%, respectively of the total Education Stabilization Fund and HEERF (84.425) expenditures of $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–024 Recommendation: Management of BSC and WVSU should enhance its internal controls to ensure funds are disbursed within the stipulated time frame and/or drawdown funds after the expenditures have been disbursed. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–027 MAINTENANCE OF EFFORT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF) COVID-19 84.425U, Grant Award S425D210036, Grant Award S425V210008, Grant Award S425U210036, Grant Award S425U210036 – 21A, Grant Award S425W210050 – 21A, Grant Award S425D200036 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under section 317 of the Coronavirus Response and Relief Supplemental Appropriation (CRRSA) Act, for fiscal year 2022, a state that receives Elementary and Secondary School Emergency Relief (ESSER) II, Governor’s Emergency Education Relief (GEER) II, or Emergency Assistance to Nonpublic Schools (EANS) funds under the CRRSA Act must: a) Maintain State support for elementary and secondary education in fiscal year 2022 at least at the proportional level of the state’s support for elementary and secondary education relative to the state’s overall spending, averaged over fiscal years 2017, 2018, and 2019; and b) Maintain state support for higher education in fiscal year 2022 at least at the proportional level of the state’s support for higher education relative to the state’s overall spending, averaged over fiscal years 2017, 2018, and 2019. Under section 2004(a) of the American Rescue Plan (ARP) Act, a state that receives ARP ESSER funds must meet the above Maintenance of Effort (MOE) requirement in each of fiscal years 2022 and 2023. Condition: The Department of Education did not provide the calculations to support meeting the maintenance of effort provisions for fiscal year 2023. Cause: The Department of Education did not provide the documentation and calculations supporting the maintenance of effort for fiscal year 2023. The calculations are performed by the State Budget Office and the calculations have not been prepared as of the date of the audit report. The Department of Education had previously requested a waiver from the provisions but did not receive approval specific to fiscal year 2023. Effect or Potential Effect: The ESF did not meet the maintenance of effort requirement. Questioned Costs: N/A Context: Total federal expenditures for the ESF program for the fiscal year ended June 30, 2023, were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022-021 Recommendation: The West Virginia Department of Education management and the State Legislative officials need to implement procedures to ensure adequate appropriations are made to meet the maintenance of effort requirements. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–030 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425U; Grant Award – S425U210036, Grant Award – S425D210036, Grant Award – S425D200036 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Department of Education must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Education (WVDE) paid a Local Educational Agency invoice amounting to $566,340 for which the good or service was not received or was only partially received. Cause: WVDE paid invoices to a Local Educational Agency that has not followed the appropriate procurement procedures. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $566,340 Context: Total federal expenditures for the Education Stabilization Fund program were $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that WVDE strengthen its internal controls over subrecipient monitoring to ensure that all invoices are accurate and that costs are for appropriately procured and eligible good or service under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–034 SUBRECIPIENT CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.305(b)(1) requires that the non-federal entity must “monitor cash drawdowns by their subrecipients to ensure that the time elapsing between the transfer of federal funds to the subrecipient and their disbursement for program purposes is minimized as required by the applicable cash management requirements in the federal award to the recipient.” Per DHHR policy, the Spending Unit shall limit cash advances to a subrecipient to the minimum amounts needed and be timed in accordance with the actual, immediate cash requirements of the subrecipient for carrying out the purpose of the approved program or project. The timing and amount of cash advances shall be as close as is administratively feasible to the actual disbursements by the subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting why a subrecipient drawdown was approved for payment for 1 of the 36 drawdowns selected for testing. The supporting documentation for the draw down showed less expenses than the amount that had been drawn down to date on the grants and also showed the subrecipient appeared to have adequate cash balances on hand at the time of the request. Cause: Supporting documentation was not retained to demonstrate cash advances to the subrecipient represented the minimum amount needed for actual and immediate cash requirements of the subrecipient for carrying out the purpose of the program. Effect or Potential Effect: The cash remitted to the subrecipient may not be accurate and may be in excess of the subrecipients actual and immediate cash requirements for carrying out the purpose of the program. Questioned Costs: $77,063 Context: The total subrecipient drawdowns selected for testing was $1,879,150. The total amount of subrecipient drawdowns for the Epidemiology program during FY23 was $7,478,038. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR establish policies and procedures requiring documentation from subrecipients substantiating that the amount of a drawdown is appropriate based on the expenditures through the request date so that the reconciliation preformed for the related drawdown is sufficient to determine that the drawdown is appropriate and excess cash is not remitted to the subrecipient. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–058 EQUIPMENT AND REAL PROPERTY MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.313(b) requires a state use, manage and dispose of equipment acquired under a Federal award by the state in accordance with state laws and procedures. According to State Policy, “All agencies are required to take a physical inventory once every three years, and shall have completed such physical inventory by June 30th of the relevant year. The physical inventory shall include viewing of all Reportable Assets under the agency’s jurisdiction. The head of every spending unit of state government shall, on or before the fifteenth day of July of each year, file with the Purchasing Division director an inventory of all real and personal property, and of all equipment, supplies and commodities in its possession as of the close of the last fiscal year as stated in West Virginia Code §5A-3-35. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting the most recent physical inventory of fixed assets for the agency. Cause: Adequate documentation supporting compliance with the State’s policies regarding physical inventory was not provided. Effect or Potential Effect: The Epidemiology and Laboratory Capacity for Infectious Diseases Program may not be in compliance with the requirements of F. Equipment & Real Property Management. Questioned Costs: Unknown Context: The total expenditures for the year ended June 30, 2023 were $23,002,255. Total equipment purchases for FY 2023 were $2,533,124. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: We recommend that DHHR follow the State’s established policies and maintain documentation evidencing the internal control and oversight of fixed asset management. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–034 SUBRECIPIENT CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.305(b)(1) requires that the non-federal entity must “monitor cash drawdowns by their subrecipients to ensure that the time elapsing between the transfer of federal funds to the subrecipient and their disbursement for program purposes is minimized as required by the applicable cash management requirements in the federal award to the recipient.” Per DHHR policy, the Spending Unit shall limit cash advances to a subrecipient to the minimum amounts needed and be timed in accordance with the actual, immediate cash requirements of the subrecipient for carrying out the purpose of the approved program or project. The timing and amount of cash advances shall be as close as is administratively feasible to the actual disbursements by the subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting why a subrecipient drawdown was approved for payment for 1 of the 36 drawdowns selected for testing. The supporting documentation for the draw down showed less expenses than the amount that had been drawn down to date on the grants and also showed the subrecipient appeared to have adequate cash balances on hand at the time of the request. Cause: Supporting documentation was not retained to demonstrate cash advances to the subrecipient represented the minimum amount needed for actual and immediate cash requirements of the subrecipient for carrying out the purpose of the program. Effect or Potential Effect: The cash remitted to the subrecipient may not be accurate and may be in excess of the subrecipients actual and immediate cash requirements for carrying out the purpose of the program. Questioned Costs: $77,063 Context: The total subrecipient drawdowns selected for testing was $1,879,150. The total amount of subrecipient drawdowns for the Epidemiology program during FY23 was $7,478,038. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR establish policies and procedures requiring documentation from subrecipients substantiating that the amount of a drawdown is appropriate based on the expenditures through the request date so that the reconciliation preformed for the related drawdown is sufficient to determine that the drawdown is appropriate and excess cash is not remitted to the subrecipient. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–058 EQUIPMENT AND REAL PROPERTY MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.313(b) requires a state use, manage and dispose of equipment acquired under a Federal award by the state in accordance with state laws and procedures. According to State Policy, “All agencies are required to take a physical inventory once every three years, and shall have completed such physical inventory by June 30th of the relevant year. The physical inventory shall include viewing of all Reportable Assets under the agency’s jurisdiction. The head of every spending unit of state government shall, on or before the fifteenth day of July of each year, file with the Purchasing Division director an inventory of all real and personal property, and of all equipment, supplies and commodities in its possession as of the close of the last fiscal year as stated in West Virginia Code §5A-3-35. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting the most recent physical inventory of fixed assets for the agency. Cause: Adequate documentation supporting compliance with the State’s policies regarding physical inventory was not provided. Effect or Potential Effect: The Epidemiology and Laboratory Capacity for Infectious Diseases Program may not be in compliance with the requirements of F. Equipment & Real Property Management. Questioned Costs: Unknown Context: The total expenditures for the year ended June 30, 2023 were $23,002,255. Total equipment purchases for FY 2023 were $2,533,124. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: We recommend that DHHR follow the State’s established policies and maintain documentation evidencing the internal control and oversight of fixed asset management. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–035 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – CHILD SUPPORT NON-COOPERATION, PENALTY FOR REFUSAL TO WORK, AND ADULT CUSTODIAL PARENT OF CHILD UNDER SIX WHEN CHILD CARE NOT AVAILABLE
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the issuance and removal of sanctions; however, adequate documentation to determine that the controls were operating effectively was not consistently maintained or available. Cause: Internal controls over the documentation of the review and approval of the issuance or removal of sanctions against TANF recipients are not operating effectively. Effect or Potential Effect: Recipient benefits may potentially be reduced or increased in error or without appropriate cause. Questioned Costs: N/A Context: Total federal expenditures for Temporary Assistance for Needy Families (TANF) for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Findings 2022–027 and 2021–028 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review prior to the issuance or removal of sanctions. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–036 SPECIAL TESTS AND PROVISIONS – PENALTY FOR REFUSAL TO WORK
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The State agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each State agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the State by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). If an individual in a family receiving assistance refuses to engage in required work, a State must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual so refuses or may terminate assistance. Any reduction or termination is subject to good cause or other exceptions as the State may establish (42 USC 607(e)(1); 45 CFR sections 261.13 and 261.14(a) and (b)). However, a State may not reduce or terminate assistance based on a refusal to work if the individual is a single custodial parent caring for a child who is less than 6 years of age if the individual can demonstrate the inability (as determined by the State) to obtain child care for one or more of the following reasons: (a) the unavailability of appropriate care within a reasonable distance of the individual’s work or home; (b) unavailability or unsuitability of informal child care; or (c) unavailability of appropriate and affordable formal child care (42 USC 607(e)(2); 45 CFR sections 261.15(a), 261.56, and 261.57). Condition: For one of the 40 cases selected for testing, the individual should not have been included in the overall population of individuals not participating in their assigned activity. The State has supporting documentation that the client had been participating in their assigned activity. We determined that the cause was from the individual being incorrectly included in the population provided by the state. Cause: There are insufficient internal controls in place surrounding the generation and review of the population of individuals not participating in an assigned activity provided to the auditor, and caseworker data entry into the Recipient Automated Payment Information Data System (RAPIDS). Effect or Potential Effect: The State may inappropriately reduce or terminate the assistance grant of an individual who refuses to engage in work but are subject to good cause or other exceptions established by the State. Further the State may not be able to effectively identify individuals that should or should not be subject to reductions or terminations in benefits. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–037 SPECIAL TESTS AND PROVISIONS – INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45CFR section 205.55). (a) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d) Information from the U.S. Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e) Unearned income from the Internal Revenue Service (IRS). Condition: During testing of 40 TANF cases subject to IEVS, we noted the following: Control - For 40 of the 40 cases selected for control testing, adequate documentation of review of the data exchanges, and system matches, and review of actions taken by the caseworker when required was not provided. Compliance- For 3 of the 40 cases selected for testing, the recipient did not appear to be receiving WVWorks benefits. The auditor was unable to determine if these cases should have been subject to a data match under TANF. For 12 of the 40 cases selected for testing, the recipient appeared to be receiving WVWorks benefits, and a data match indicating caseworker action required was noted, but no action was completed. Additionally, additional documentation supporting no action required for the match was not available. For the remaining 25 of the 40 cases, the recipient appeared to be receiving WVWorks, a data match occurred, and related worker action was taken, but documentation supporting the action was not available. In addition, the auditor could not determine if specific action items were completed relating to individual exchange types. Cause: There are insufficient internal controls in place surrounding the generation and review of populations provided to the auditor, the Income Eligibility and Verification System matches, and the caseworker actions required within the Recipient Automated Payment Information Data System (RAPIDS). Also, insufficient documentation surrounding matches made between the information systems and actions taken after a match is made. Effect or Potential Effect: The State of WV may not be coordinating data exchanges with other federally assisted benefit programs as required by the state plan. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Finding 2022–028 and 2021–029 Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. In addition, we also recommend DHHR evaluate their control over the caseworker action requirement within RAPIDS on matches related to the IEVS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–038 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(a) requires that a pass-through entity “Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes the Federal Award Identification Number (FAIN). Condition: For four of four subawards selected for testing for subrecipient monitoring, the West Virginia Department of Education (DOE) did not communicate the FAIN to the subrecipient in the subaward. Cause: There are insufficient internal controls in place surrounding what information is included in the subaward. Effect or Potential Effect: The DOE is not providing required information to their subrecipients and therefore, not complying with federal regulations. Questioned Costs: Unknown Context: The federal expenditures and subrecipient expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DOE implement policies and procedures to ensure that the subawards include all requirements information to be communication to subrecipients in line with federal regulations. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–039 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): Any family that includes an adult or minor child head of household or a spouse of the head of household who has received assistance under any State program funded by federal Temporary Assistance for Needy Families (TANF) funds for 60 months (whether or not consecutive) is ineligible for additional federally funded TANF assistance. However, the State may extend assistance to a family on the basis of hardship, as defined by the State, or if a family member has been battered or subjected to extreme cruelty. In determining the number of months for which the head of household or the spouse of the head of household has received assistance, the State must not count any month during which the adult received the assistance while living in ©ndian country or in an Alaskan Native Village and the most reliable data available with respect to that month (or a period including that month) indicate at least 50% of the adults living in Indian country or in the village were not employed (42 USC 608(a)(7); 45 CFR sections 264.1(a), (b), and (c)). Further, the average monthly number of families that include an adult or minor child head of household, or the spouse of the head of household, who has received assistance under any State program funded by federal TANF funds for more than 60 countable months (whether or not consecutive) may not exceed 20 percent of the average monthly number of all families to which the State provided assistance during the fiscal year or the immediately preceding fiscal year (but not both), as the State may elect (42 USC 608(a)(7)(C)(ii); 45 CFR sections 264.1(c) and©)). Condition: During analysis of the TANF Data Report, ACF 199, two individuals were noted to have received TANF benefits for 61 months and one individual received benefits for 86 months. Cause: Management indicated the finding was caused by worker errors and insufficient verification of case information. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: Ineligible claims may have been reimbursed using federal funds. Questioned Costs: $1,754 Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate to ensure compliance with eligibility requirements. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–040 SPECIAL TESTS AND PROVISIONS – PENALTY FOR FAILURE TO COMPLY WITH WORK VERFICATION PLAN
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WV TANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The state agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each state agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the state by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). Condition: For one of the 40 cases selected for testing, the individual’s work eligibility and participation status documented in the case file and RAPIDS were not consistent with the data elements reported. For one of the 40 cases selected for testing, there was conflicting information for the participation hours for the individual/month selected. The incorrect information was included in the data elements reported. Cause: The discrepancies between data elements reported and supported were due to caseworker errors. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: The auditor was unable to determine if the auditee was in compliance with the specified compliance requirement. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023 were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–035 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – CHILD SUPPORT NON-COOPERATION, PENALTY FOR REFUSAL TO WORK, AND ADULT CUSTODIAL PARENT OF CHILD UNDER SIX WHEN CHILD CARE NOT AVAILABLE
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the issuance and removal of sanctions; however, adequate documentation to determine that the controls were operating effectively was not consistently maintained or available. Cause: Internal controls over the documentation of the review and approval of the issuance or removal of sanctions against TANF recipients are not operating effectively. Effect or Potential Effect: Recipient benefits may potentially be reduced or increased in error or without appropriate cause. Questioned Costs: N/A Context: Total federal expenditures for Temporary Assistance for Needy Families (TANF) for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Findings 2022–027 and 2021–028 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review prior to the issuance or removal of sanctions. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–036 SPECIAL TESTS AND PROVISIONS – PENALTY FOR REFUSAL TO WORK
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The State agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each State agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the State by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). If an individual in a family receiving assistance refuses to engage in required work, a State must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual so refuses or may terminate assistance. Any reduction or termination is subject to good cause or other exceptions as the State may establish (42 USC 607(e)(1); 45 CFR sections 261.13 and 261.14(a) and (b)). However, a State may not reduce or terminate assistance based on a refusal to work if the individual is a single custodial parent caring for a child who is less than 6 years of age if the individual can demonstrate the inability (as determined by the State) to obtain child care for one or more of the following reasons: (a) the unavailability of appropriate care within a reasonable distance of the individual’s work or home; (b) unavailability or unsuitability of informal child care; or (c) unavailability of appropriate and affordable formal child care (42 USC 607(e)(2); 45 CFR sections 261.15(a), 261.56, and 261.57). Condition: For one of the 40 cases selected for testing, the individual should not have been included in the overall population of individuals not participating in their assigned activity. The State has supporting documentation that the client had been participating in their assigned activity. We determined that the cause was from the individual being incorrectly included in the population provided by the state. Cause: There are insufficient internal controls in place surrounding the generation and review of the population of individuals not participating in an assigned activity provided to the auditor, and caseworker data entry into the Recipient Automated Payment Information Data System (RAPIDS). Effect or Potential Effect: The State may inappropriately reduce or terminate the assistance grant of an individual who refuses to engage in work but are subject to good cause or other exceptions established by the State. Further the State may not be able to effectively identify individuals that should or should not be subject to reductions or terminations in benefits. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–037 SPECIAL TESTS AND PROVISIONS – INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45CFR section 205.55). (a) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d) Information from the U.S. Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e) Unearned income from the Internal Revenue Service (IRS). Condition: During testing of 40 TANF cases subject to IEVS, we noted the following: Control - For 40 of the 40 cases selected for control testing, adequate documentation of review of the data exchanges, and system matches, and review of actions taken by the caseworker when required was not provided. Compliance- For 3 of the 40 cases selected for testing, the recipient did not appear to be receiving WVWorks benefits. The auditor was unable to determine if these cases should have been subject to a data match under TANF. For 12 of the 40 cases selected for testing, the recipient appeared to be receiving WVWorks benefits, and a data match indicating caseworker action required was noted, but no action was completed. Additionally, additional documentation supporting no action required for the match was not available. For the remaining 25 of the 40 cases, the recipient appeared to be receiving WVWorks, a data match occurred, and related worker action was taken, but documentation supporting the action was not available. In addition, the auditor could not determine if specific action items were completed relating to individual exchange types. Cause: There are insufficient internal controls in place surrounding the generation and review of populations provided to the auditor, the Income Eligibility and Verification System matches, and the caseworker actions required within the Recipient Automated Payment Information Data System (RAPIDS). Also, insufficient documentation surrounding matches made between the information systems and actions taken after a match is made. Effect or Potential Effect: The State of WV may not be coordinating data exchanges with other federally assisted benefit programs as required by the state plan. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Finding 2022–028 and 2021–029 Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. In addition, we also recommend DHHR evaluate their control over the caseworker action requirement within RAPIDS on matches related to the IEVS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–038 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(a) requires that a pass-through entity “Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes the Federal Award Identification Number (FAIN). Condition: For four of four subawards selected for testing for subrecipient monitoring, the West Virginia Department of Education (DOE) did not communicate the FAIN to the subrecipient in the subaward. Cause: There are insufficient internal controls in place surrounding what information is included in the subaward. Effect or Potential Effect: The DOE is not providing required information to their subrecipients and therefore, not complying with federal regulations. Questioned Costs: Unknown Context: The federal expenditures and subrecipient expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DOE implement policies and procedures to ensure that the subawards include all requirements information to be communication to subrecipients in line with federal regulations. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–039 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): Any family that includes an adult or minor child head of household or a spouse of the head of household who has received assistance under any State program funded by federal Temporary Assistance for Needy Families (TANF) funds for 60 months (whether or not consecutive) is ineligible for additional federally funded TANF assistance. However, the State may extend assistance to a family on the basis of hardship, as defined by the State, or if a family member has been battered or subjected to extreme cruelty. In determining the number of months for which the head of household or the spouse of the head of household has received assistance, the State must not count any month during which the adult received the assistance while living in ©ndian country or in an Alaskan Native Village and the most reliable data available with respect to that month (or a period including that month) indicate at least 50% of the adults living in Indian country or in the village were not employed (42 USC 608(a)(7); 45 CFR sections 264.1(a), (b), and (c)). Further, the average monthly number of families that include an adult or minor child head of household, or the spouse of the head of household, who has received assistance under any State program funded by federal TANF funds for more than 60 countable months (whether or not consecutive) may not exceed 20 percent of the average monthly number of all families to which the State provided assistance during the fiscal year or the immediately preceding fiscal year (but not both), as the State may elect (42 USC 608(a)(7)(C)(ii); 45 CFR sections 264.1(c) and©)). Condition: During analysis of the TANF Data Report, ACF 199, two individuals were noted to have received TANF benefits for 61 months and one individual received benefits for 86 months. Cause: Management indicated the finding was caused by worker errors and insufficient verification of case information. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: Ineligible claims may have been reimbursed using federal funds. Questioned Costs: $1,754 Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate to ensure compliance with eligibility requirements. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–040 SPECIAL TESTS AND PROVISIONS – PENALTY FOR FAILURE TO COMPLY WITH WORK VERFICATION PLAN
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WV TANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The state agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each state agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the state by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). Condition: For one of the 40 cases selected for testing, the individual’s work eligibility and participation status documented in the case file and RAPIDS were not consistent with the data elements reported. For one of the 40 cases selected for testing, there was conflicting information for the participation hours for the individual/month selected. The incorrect information was included in the data elements reported. Cause: The discrepancies between data elements reported and supported were due to caseworker errors. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: The auditor was unable to determine if the auditee was in compliance with the specified compliance requirement. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023 were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–046 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” LIHEAP requires the West Virginia Department of Health and Human Resources (DHHR) to determine whether federal monies are spent in accordance with the eligibility guidelines promulgated by 42 USC 8624(b)(2). Condition: During our testing of 40 LIHEAP benefit payments for eligibility, we noted that three of the six sampled cases from May and June 2023 were paid using the incorrect benefit amount. Cause: Management indicated that the errors were due to the benefit tables not being properly updated within the RAPIDS system to properly calculate the recipients’ benefits during the months of May and June 2023. This was due to insufficient oversight to ensure the table amounts were correct and the benefits were calculating properly. Effect or Potential Effect: Benefit payments were made at the incorrect amount based on the eligible recipients household size, income, and source of energy. Questioned Costs: $1,637 LIHEAP #93.568, Grant # G-2301WVLIEE Context: The three instances noted (three out of six case files tested for May and June, 2023) represent $1,637 of benefit payments out of $3,471 tested from those months. Total payments for benefit assistance for the LIHEAP program were $2,659,674 for the months of May and June 2023 and were $58,226,354 for the year ended June 30, 2023. The federal expenditures for the LIHEAP program for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate its policies and procedures to ensure that the benefit tables within the RAPIDS system are properly updated and reviewed to ensure that all recipients benefits are properly calculated. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–047 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Per 2 CFR 200.332(f), “All pass-through entities must: Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in § 200.501.” Condition: During our testing of subrecipient monitoring for subrecipients subject to Uniform Guidance Audit Requirements, it was noted that for the five subrecipients selected that were subject to audit requirements, the management of the West Virginia Community Advancement and Development (WV CAD) was unable to provide supporting documentation that verified the agency performed due diligence to ensure that the subrecipients were properly audited in accordance with the provisions of 2 CFR 200.332(f). Cause: There was lack of supporting documentation provided to properly determine whether the WV CAD management properly verified whether all subrecipients had been audited that were required to be under the requirements of 2 CFR 200.332(f). Effect or Potential Effect: The WV CAD does not have proper internal controls in place to ensure policies and procedures surrounding subrecipient monitoring compliance requirements are in effect. The WV CAD does not have evidence to support that all subrecipients that were required to be audited were done so properly; therefore, this could result in subrecipients required to be audited not having an audit completed. Questioned Costs: N/A Context: Total expenditures and total subrecipient expenditures for the Low-Income Home Energy Assistance program for the year ended June 30, 2023, were $78,229,389 and $17,209,504, respectively. There were 16 total subrecipients and all 5 selected for testing were unable to provide information to support due diligence procedures over subrecipients. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the WV CAD management review policies and procedures for sufficiency and commit appropriate personnel to subrecipient monitoring to ensure they are in compliance with all federal requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–046 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” LIHEAP requires the West Virginia Department of Health and Human Resources (DHHR) to determine whether federal monies are spent in accordance with the eligibility guidelines promulgated by 42 USC 8624(b)(2). Condition: During our testing of 40 LIHEAP benefit payments for eligibility, we noted that three of the six sampled cases from May and June 2023 were paid using the incorrect benefit amount. Cause: Management indicated that the errors were due to the benefit tables not being properly updated within the RAPIDS system to properly calculate the recipients’ benefits during the months of May and June 2023. This was due to insufficient oversight to ensure the table amounts were correct and the benefits were calculating properly. Effect or Potential Effect: Benefit payments were made at the incorrect amount based on the eligible recipients household size, income, and source of energy. Questioned Costs: $1,637 LIHEAP #93.568, Grant # G-2301WVLIEE Context: The three instances noted (three out of six case files tested for May and June, 2023) represent $1,637 of benefit payments out of $3,471 tested from those months. Total payments for benefit assistance for the LIHEAP program were $2,659,674 for the months of May and June 2023 and were $58,226,354 for the year ended June 30, 2023. The federal expenditures for the LIHEAP program for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate its policies and procedures to ensure that the benefit tables within the RAPIDS system are properly updated and reviewed to ensure that all recipients benefits are properly calculated. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–047 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Per 2 CFR 200.332(f), “All pass-through entities must: Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in § 200.501.” Condition: During our testing of subrecipient monitoring for subrecipients subject to Uniform Guidance Audit Requirements, it was noted that for the five subrecipients selected that were subject to audit requirements, the management of the West Virginia Community Advancement and Development (WV CAD) was unable to provide supporting documentation that verified the agency performed due diligence to ensure that the subrecipients were properly audited in accordance with the provisions of 2 CFR 200.332(f). Cause: There was lack of supporting documentation provided to properly determine whether the WV CAD management properly verified whether all subrecipients had been audited that were required to be under the requirements of 2 CFR 200.332(f). Effect or Potential Effect: The WV CAD does not have proper internal controls in place to ensure policies and procedures surrounding subrecipient monitoring compliance requirements are in effect. The WV CAD does not have evidence to support that all subrecipients that were required to be audited were done so properly; therefore, this could result in subrecipients required to be audited not having an audit completed. Questioned Costs: N/A Context: Total expenditures and total subrecipient expenditures for the Low-Income Home Energy Assistance program for the year ended June 30, 2023, were $78,229,389 and $17,209,504, respectively. There were 16 total subrecipients and all 5 selected for testing were unable to provide information to support due diligence procedures over subrecipients. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the WV CAD management review policies and procedures for sufficiency and commit appropriate personnel to subrecipient monitoring to ensure they are in compliance with all federal requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–003 INFORMATION TECHNOLOGY GENERAL CONTROLS – WVPATH
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the wvPATH application. As a result, wvPATH ITGCs, and therefore, wvPATH application controls, cannot be relied upon in the period of audit. Cause: Management could not provide evidence to support wvPATH ITGC processes and controls including access provisioning, revocation of access, and a review of user access. Additionally, documentation was not provided related to wvPATH application change management requests to support updates / customizations to the application were authorized, tested and approved prior to being implemented to production. There was not a clear delineation of responsibilities between the State of West Virginia and the third-party software vendor related to the support and administration of the wvPATH application and supporting infrastructure. The third-party software vendor does not issue a System and Organization Controls (SOC) report for the services provided to the State of West Virginia. Effect or Potential Effect: There is a risk the data relevant to the Foster Care – Title IV-E and Adoption Assistance – Title IV-E programs stored within the wvPATH system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the wvPATH application. As a result, the wvPATH application cannot be relied on for the audit period. Questioned Costs: None Context: Total Foster Care Title IV-E expenditures for the year ended June 30, 2023 were $72,440,416. Total Adoption Assistance expenditures for the year ended June 30, 2023 were $83,731,768. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified wvPATH access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the wvPATH application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the wvPATH application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of wvPATH user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access, including those with privileged access, to the wvPATH application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. A formal, documented process should be implemented to capture authorization, testing and production migration approvals for change requests to the wvPATH application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. For IT processes and controls that are the responsibility of the third-party software vendor, management should evaluate the need for a SOC report for control activities performed by the vendor on behalf of the State of West Virginia. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–048 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND SPECIAL TESTS AND PROVISIONS – PAYMENT RATE SETTING AND APPLICATION
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200 defines an improper payment as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments.” 42 USC 671(a) requires that, to be eligible for payments under the Foster Care – Title IV-E program, States “shall have a plan approved by the Secretary which provides for foster care maintenance payments.” 45 CFR section 1356.21(m)(1) adds that “the title IV-E agency must review at reasonable, specific, time-limited periods to be established by the agency the amount of the payments made for foster care maintenance… to assure their continued appropriateness.” Condition: One of the 40 cases tested for allowability and payment rate setting and application resulted in an underpayment to a reimbursable provider based on the applicable approved rates. Cause: Management indicated that the errors resulted from oversights by caseworkers. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: An improper payment was made using federal funds. Questioned Costs: N/A Context: Total federal expenditures for the Foster Care Title IV-E program were $72,440,416 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR review the current staffing and training programs to ensure sufficient staff levels are maintained and adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–049 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the DHHR must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 1356.30(f) requires that “in order for a child care institution to be eligible for Title IV-E funding, the licensing file for the institution must contain documentation which verifies that safety considerations with respect to the staff of the institution have been addressed.” Condition: Ten of the 40 cases tested for eligibility related to providers whose licensing files did not initially include the required documentation of certain safety considerations, including criminal background checks for all adults working at the child care institution. During audit fieldwork, management obtained the required documentation related to safety considerations retained by the providers for eight of the 10 cases. Cause: Management indicated that the missing documentation was related to a misunderstanding of the requirement by licensing personnel. Effect or Potential Effect: An ineligible provider was paid using federal funds. Questioned Costs: $3,653 Context: The two cases without the required documentation represent $3,653 of Foster Care – Title IV-E payments out of a total sample of benefit payments tested for allowability and eligibility of $103,814. Total federal expenditures for the Foster Care – Title IV-E program were $72,440,416 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR obtain and maintain in the licensing file sufficient documentation from all providers to ensure compliance with required safety considerations. Additionally, we recommend that DHHR develop appropriate policies related to the supervision and review of provider licensing and safety consideration monitoring. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–003 INFORMATION TECHNOLOGY GENERAL CONTROLS – WVPATH
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the wvPATH application. As a result, wvPATH ITGCs, and therefore, wvPATH application controls, cannot be relied upon in the period of audit. Cause: Management could not provide evidence to support wvPATH ITGC processes and controls including access provisioning, revocation of access, and a review of user access. Additionally, documentation was not provided related to wvPATH application change management requests to support updates / customizations to the application were authorized, tested and approved prior to being implemented to production. There was not a clear delineation of responsibilities between the State of West Virginia and the third-party software vendor related to the support and administration of the wvPATH application and supporting infrastructure. The third-party software vendor does not issue a System and Organization Controls (SOC) report for the services provided to the State of West Virginia. Effect or Potential Effect: There is a risk the data relevant to the Foster Care – Title IV-E and Adoption Assistance – Title IV-E programs stored within the wvPATH system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the wvPATH application. As a result, the wvPATH application cannot be relied on for the audit period. Questioned Costs: None Context: Total Foster Care Title IV-E expenditures for the year ended June 30, 2023 were $72,440,416. Total Adoption Assistance expenditures for the year ended June 30, 2023 were $83,731,768. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified wvPATH access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the wvPATH application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the wvPATH application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of wvPATH user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access, including those with privileged access, to the wvPATH application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. A formal, documented process should be implemented to capture authorization, testing and production migration approvals for change requests to the wvPATH application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. For IT processes and controls that are the responsibility of the third-party software vendor, management should evaluate the need for a SOC report for control activities performed by the vendor on behalf of the State of West Virginia. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–053 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
42 USC 673(a)(2) indicates that funds may be expended for adoption assistance subsidy payments made on behalf of eligible children, in accordance with a written and binding adoption assistance agreement. Subsidy payments are made to adoptive parents based on the need(s) of the child (i.e., developmental, cognitive, emotional behavioral) and the circumstances of the adopting parents. Condition: Four of the 40 cases tested for allowability and eligibility resulted in a disbursement that was not related to the Adoption Assistance – Title IV-E program due to a clerical error, which caused certain benefit payments to be paid out of the incorrect federal assistance listing number. One of the 40 cases tested for allowability and eligibility resulted in an overpayment. Cause: Management indicated that the payments were caused by clerical errors. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Ineligible or unallowable claims were paid using federal funds. Questioned Costs: $2,446 Context: The five instances represent $2,446 of adoption assistance payments out of a total sample of benefit payments tested for allowability and eligibility of $53,146. Total federal expenditures for the Adoption Assistance program were $83,731,768 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR implement internal controls to review all benefit payments to ensure they are coded correctly and the proper amount of benefits are paid out of the correct federal assistance listing number. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–052 SUBRECIPIENT CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744, Grant Award 5H79TI083313, Grant Award 1H79TI083313, Grant Award 6H79TI083313 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be following guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.305(b)(1) requires that the non-federal entity must “monitor cash drawdowns by their subrecipients to ensure that the time elapsing between the transfer of federal funds to the subrecipient and their disbursement for program purposes is minimized as required by the applicable cash management requirements in the federal award to the recipient.” Per DHHR policy, the Spending Unit shall limit cash advances to a subrecipient to the minimum amounts needed and be timed in accordance with the actual, immediate cash requirements of the subrecipient for carrying out the purpose of the approved program or project. The timing and amount of cash advances shall be as close as is administratively feasible to the actual disbursements by the subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. Condition: During testing of the State Targeted Response to the Opioid Crisis Grants, for 3 of the 40 disbursements selected for testing the approval of the reconciliation of grantee drawdowns and expenses was not reviewed prior to the payment of the subrecipient invoice. Further for 1 of the 40 disbursements selected for testing, information supporting why the subrecipient drawdown was approved for payment was not adequate. Supporting information indicates the grantee had excess cash balances on hand prior to the draw and there was no formal documentation of a program manager’s justification to allow the draw therefore the state was not minimizing the time between the transfer of funds to the subrecipient and the subrecipient’s expenditure of the funds. Cause: Internal controls are not operating effectively surrounding the approval of subrecipient cash disbursements. Supporting documentation was not retained to demonstrate cash advances to the subrecipient represented the minimum amount needed for actual and immediate cash requirements of the subrecipient for carrying out the purpose of the program. Effect or Potential Effect: The cash remitted to the subrecipient may not be accurate and may be in excess of the subrecipients actual and immediate cash requirements for carrying out the purpose of the program. Questioned Costs: $188,484, Opioid STR 93.788 Context: The total subrecipient drawdowns selected for testing was $8,073,637. The total amount of subrecipient drawdowns for the Opioid STR program was $32,972,268 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–038 Recommendation: We recommend that DHHR establish policies and procedures requiring documentation from subrecipients substantiating that the amount of a drawdown is appropriate based on the expenditures through the request date so that the reconciliation preformed for the related drawdown is sufficient to determine that the drawdown is appropriate and excess cash is not remitted to the subrecipient. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–042 SPECIAL TESTS AND PROVISIONS – PROVIDER ELIGIBILITY FOR ARP ACT STABILIZATION FUNDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to Pub L 117-2 Sec. 2201: “To be qualified to receive ARP Act stabilization funds, a provider on the date of application for the award must either be: (1) open and available to provide child care services, or (2) closed due to public health, financial hardship, or other reasons relating to the COVID-19 public health emergency. In addition, the provider must either (1) be eligible to serve children who receive CCDF subsidies at the time of application for stabilization funds, or (2) be licensed, regulated, or registered in the state, territory, or tribe as of March 11, 2021 and meet applicable state and local health and safety requirements at the time of application for stabilization funds. In their application for stabilization funds, a child care provider must certify: a). That the provider will, when open and providing services, implement policies in line with guidance and orders from corresponding state, territorial, tribal, and local authorities and, to the greatest extent possible, implement policies in line with guidance from the CDC. b). For each employee, the provider must pay at least the same amount in weekly wages and maintain the same benefits for the duration of the stabilization funding. c). The provider will provide relief from copayments and tuition payments for the families enrolled in the provider’s program, to the extent possible, and prioritize such relief for families struggling to make either type of payment.” Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the review and approval of provider certifications in the application for funding and review and approval of verification of eligibility criteria; however, adequate documentation to support the review was not maintained. In addition, 2 of the 40 selected did not have a Provider Service Agreement that was completed and 1 of the 40 Provider Service Agreements did not have evidence of provider’s required certifications available. Cause: Internal controls are not operating effectively surrounding the review and approval of provider certifications and verification of eligibility criteria. Effect or Potential Effect: Providers who received ARP Act Stabilization funds may not have met the eligibility criteria or made the required certifications. Questioned Costs: N/A Context: Total federal expenditures for CCDF Cluster for the fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: Prior Year Finding 2022–026 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review and approval of provider certifications and eligibility criteria. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–043 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that one report was not submitted by the State of West Virginia Child Care Development Fund (DHHR) program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting by DHHR management. Effect or Potential Effect: DHHR management did not report the necessary FFATA report for Child Care first-tier subawards over $30,000 to The FFATA Subaward Reporting System in a timely fashion for one report. Questioned Costs: N/A Context: Subawards for the Child Care program included 10 subawards which had payments totaling $45,239,361 for the year ended June 30, 2023. The federal expenditures for the Child Care program for the fiscal year ended June 30, 2023 were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–044 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2201WVCCDD, Grant Award 2101WVCCDF, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The allowability compliance requirements of the Child Care and Development Fund (CCDF) Cluster require the West Virginia Department of Health and Human Resources (DHHR) to conform to the following criteria contained in 2 CFR Part 200: “Costs did not consist of improper payments, including (1) payments that should not have been made or that were made in incorrect amounts (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; (2) payments that do not account for credit for applicable discounts; (3) duplicate payments; (4) payments that were made to an ineligible party or for an ineligible good or service; and (5) payments for goods or services not received (except for such payments where authorized by law). Costs were necessary and reasonable for the performance of the Federal award and allocable under the principles of 2 CFR part 200, subpart E. Costs were adequately documented.” Condition: Benefits paid to or on behalf of the individuals were calculated correctly and in compliance with the requirements of the program. We noted benefits were not paid in accordance with 2 CFR Part 200 (1) during the testing of 40 payments to providers for eligibility and allowability, as follows: • For 1 of the 40 payments, records indicate the child was covered under a Child Protective Services (CPS) safety plan. However, the $3 daily supplement was not included in the calculation or paid, resulting in an underpayment of $170. • For 1 of the 40 payments, the provider requested payment and was paid for 13 non-traditional days, however records indicate only 11 of the 13 days were non-traditional, resulting in an overpayment of $12. Cause: Management indicated that the errors were due to caseworker oversight. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Payments were not given consistent treatment, potentially resulting in overpayment or underpayment to providers. Questioned Costs: $12 Assistance Listing # 93.575 (Grant Award 2301WVCCDF) Context: The total of all benefit payments tested was $25,385. Total provider payments for the CCDF Cluster for the fiscal year ended June 30, 2023 were $157,188,419. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate the effectiveness of the current training programs for the use of the Families and Children Tracking System (FACTS) (and subsequently West Virginia People's Access to Help (WV PATH) systems for CCDF payments). Furthermore, DHHR should follow established policies and procedures to ensure client information and the number of days are input correctly. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–045 SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT
Federal Program Information: Federal Agency and Program Name CFDA# U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/93.596 COVID-19 93.575, Grant Award 2201WVCCDD, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 states that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.” Lead Agencies shall recover child care payments that are the result of fraud. These payments shall be recovered from the party responsible for committing the fraud. (45 CFR section 98.60). Condition: Current policies indicate the DHHR refers potentially fraudulent payments to the Office of the Inspector General (OIG) for investigation. When an investigation results in a determination of fraud, a repayment plan is required to be established and tracked. However, documentation of the review of the listing of cases referred for investigation, including the status was not available. For one of the five closed investigations selected, a repayment plan was approved however repayments were not received and documentation of action taken was not available. For two of the five closed investigations selected, documentation for approval of the repayment plan, repayments received, or other follow-up action taken was not available. Therefore, the auditor was unable to reach a conclusion. Cause: Staff turnover in recent years in Departments responsible for this process caused inconsistencies in the way investigation of potentially fraudulent claims were identified, documented, and reported. Effect or Potential Effect: Payments resulting from fraud may not have been identified, and the proper procedures to establish repayment or recovery may not have occurred in a reasonable amount of time. Questioned Costs: $16,103 Context: Total federal expenditures for the CCDF Cluster for fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: The DHHR should work with the OIG to ensure its internal controls and policies and procedures are robust and include sufficient documentation of oversight and review to ensure fraudulent claims are identified and tracked beginning in the year of identification and continuing through the establishment and enforcement of repayment agreements. Additionally, status monitoring of cases referred for investigation should be documented, and follow-up completed timely. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–042 SPECIAL TESTS AND PROVISIONS – PROVIDER ELIGIBILITY FOR ARP ACT STABILIZATION FUNDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to Pub L 117-2 Sec. 2201: “To be qualified to receive ARP Act stabilization funds, a provider on the date of application for the award must either be: (1) open and available to provide child care services, or (2) closed due to public health, financial hardship, or other reasons relating to the COVID-19 public health emergency. In addition, the provider must either (1) be eligible to serve children who receive CCDF subsidies at the time of application for stabilization funds, or (2) be licensed, regulated, or registered in the state, territory, or tribe as of March 11, 2021 and meet applicable state and local health and safety requirements at the time of application for stabilization funds. In their application for stabilization funds, a child care provider must certify: a). That the provider will, when open and providing services, implement policies in line with guidance and orders from corresponding state, territorial, tribal, and local authorities and, to the greatest extent possible, implement policies in line with guidance from the CDC. b). For each employee, the provider must pay at least the same amount in weekly wages and maintain the same benefits for the duration of the stabilization funding. c). The provider will provide relief from copayments and tuition payments for the families enrolled in the provider’s program, to the extent possible, and prioritize such relief for families struggling to make either type of payment.” Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the review and approval of provider certifications in the application for funding and review and approval of verification of eligibility criteria; however, adequate documentation to support the review was not maintained. In addition, 2 of the 40 selected did not have a Provider Service Agreement that was completed and 1 of the 40 Provider Service Agreements did not have evidence of provider’s required certifications available. Cause: Internal controls are not operating effectively surrounding the review and approval of provider certifications and verification of eligibility criteria. Effect or Potential Effect: Providers who received ARP Act Stabilization funds may not have met the eligibility criteria or made the required certifications. Questioned Costs: N/A Context: Total federal expenditures for CCDF Cluster for the fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: Prior Year Finding 2022–026 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review and approval of provider certifications and eligibility criteria. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–043 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that one report was not submitted by the State of West Virginia Child Care Development Fund (DHHR) program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting by DHHR management. Effect or Potential Effect: DHHR management did not report the necessary FFATA report for Child Care first-tier subawards over $30,000 to The FFATA Subaward Reporting System in a timely fashion for one report. Questioned Costs: N/A Context: Subawards for the Child Care program included 10 subawards which had payments totaling $45,239,361 for the year ended June 30, 2023. The federal expenditures for the Child Care program for the fiscal year ended June 30, 2023 were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–044 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2201WVCCDD, Grant Award 2101WVCCDF, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The allowability compliance requirements of the Child Care and Development Fund (CCDF) Cluster require the West Virginia Department of Health and Human Resources (DHHR) to conform to the following criteria contained in 2 CFR Part 200: “Costs did not consist of improper payments, including (1) payments that should not have been made or that were made in incorrect amounts (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; (2) payments that do not account for credit for applicable discounts; (3) duplicate payments; (4) payments that were made to an ineligible party or for an ineligible good or service; and (5) payments for goods or services not received (except for such payments where authorized by law). Costs were necessary and reasonable for the performance of the Federal award and allocable under the principles of 2 CFR part 200, subpart E. Costs were adequately documented.” Condition: Benefits paid to or on behalf of the individuals were calculated correctly and in compliance with the requirements of the program. We noted benefits were not paid in accordance with 2 CFR Part 200 (1) during the testing of 40 payments to providers for eligibility and allowability, as follows: • For 1 of the 40 payments, records indicate the child was covered under a Child Protective Services (CPS) safety plan. However, the $3 daily supplement was not included in the calculation or paid, resulting in an underpayment of $170. • For 1 of the 40 payments, the provider requested payment and was paid for 13 non-traditional days, however records indicate only 11 of the 13 days were non-traditional, resulting in an overpayment of $12. Cause: Management indicated that the errors were due to caseworker oversight. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Payments were not given consistent treatment, potentially resulting in overpayment or underpayment to providers. Questioned Costs: $12 Assistance Listing # 93.575 (Grant Award 2301WVCCDF) Context: The total of all benefit payments tested was $25,385. Total provider payments for the CCDF Cluster for the fiscal year ended June 30, 2023 were $157,188,419. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate the effectiveness of the current training programs for the use of the Families and Children Tracking System (FACTS) (and subsequently West Virginia People's Access to Help (WV PATH) systems for CCDF payments). Furthermore, DHHR should follow established policies and procedures to ensure client information and the number of days are input correctly. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–045 SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT
Federal Program Information: Federal Agency and Program Name CFDA# U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/93.596 COVID-19 93.575, Grant Award 2201WVCCDD, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 states that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.” Lead Agencies shall recover child care payments that are the result of fraud. These payments shall be recovered from the party responsible for committing the fraud. (45 CFR section 98.60). Condition: Current policies indicate the DHHR refers potentially fraudulent payments to the Office of the Inspector General (OIG) for investigation. When an investigation results in a determination of fraud, a repayment plan is required to be established and tracked. However, documentation of the review of the listing of cases referred for investigation, including the status was not available. For one of the five closed investigations selected, a repayment plan was approved however repayments were not received and documentation of action taken was not available. For two of the five closed investigations selected, documentation for approval of the repayment plan, repayments received, or other follow-up action taken was not available. Therefore, the auditor was unable to reach a conclusion. Cause: Staff turnover in recent years in Departments responsible for this process caused inconsistencies in the way investigation of potentially fraudulent claims were identified, documented, and reported. Effect or Potential Effect: Payments resulting from fraud may not have been identified, and the proper procedures to establish repayment or recovery may not have occurred in a reasonable amount of time. Questioned Costs: $16,103 Context: Total federal expenditures for the CCDF Cluster for fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: The DHHR should work with the OIG to ensure its internal controls and policies and procedures are robust and include sufficient documentation of oversight and review to ensure fraudulent claims are identified and tracked beginning in the year of identification and continuing through the establishment and enforcement of repayment agreements. Additionally, status monitoring of cases referred for investigation should be documented, and follow-up completed timely. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–042 SPECIAL TESTS AND PROVISIONS – PROVIDER ELIGIBILITY FOR ARP ACT STABILIZATION FUNDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to Pub L 117-2 Sec. 2201: “To be qualified to receive ARP Act stabilization funds, a provider on the date of application for the award must either be: (1) open and available to provide child care services, or (2) closed due to public health, financial hardship, or other reasons relating to the COVID-19 public health emergency. In addition, the provider must either (1) be eligible to serve children who receive CCDF subsidies at the time of application for stabilization funds, or (2) be licensed, regulated, or registered in the state, territory, or tribe as of March 11, 2021 and meet applicable state and local health and safety requirements at the time of application for stabilization funds. In their application for stabilization funds, a child care provider must certify: a). That the provider will, when open and providing services, implement policies in line with guidance and orders from corresponding state, territorial, tribal, and local authorities and, to the greatest extent possible, implement policies in line with guidance from the CDC. b). For each employee, the provider must pay at least the same amount in weekly wages and maintain the same benefits for the duration of the stabilization funding. c). The provider will provide relief from copayments and tuition payments for the families enrolled in the provider’s program, to the extent possible, and prioritize such relief for families struggling to make either type of payment.” Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the review and approval of provider certifications in the application for funding and review and approval of verification of eligibility criteria; however, adequate documentation to support the review was not maintained. In addition, 2 of the 40 selected did not have a Provider Service Agreement that was completed and 1 of the 40 Provider Service Agreements did not have evidence of provider’s required certifications available. Cause: Internal controls are not operating effectively surrounding the review and approval of provider certifications and verification of eligibility criteria. Effect or Potential Effect: Providers who received ARP Act Stabilization funds may not have met the eligibility criteria or made the required certifications. Questioned Costs: N/A Context: Total federal expenditures for CCDF Cluster for the fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: Prior Year Finding 2022–026 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review and approval of provider certifications and eligibility criteria. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–043 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that one report was not submitted by the State of West Virginia Child Care Development Fund (DHHR) program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting by DHHR management. Effect or Potential Effect: DHHR management did not report the necessary FFATA report for Child Care first-tier subawards over $30,000 to The FFATA Subaward Reporting System in a timely fashion for one report. Questioned Costs: N/A Context: Subawards for the Child Care program included 10 subawards which had payments totaling $45,239,361 for the year ended June 30, 2023. The federal expenditures for the Child Care program for the fiscal year ended June 30, 2023 were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–044 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2201WVCCDD, Grant Award 2101WVCCDF, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The allowability compliance requirements of the Child Care and Development Fund (CCDF) Cluster require the West Virginia Department of Health and Human Resources (DHHR) to conform to the following criteria contained in 2 CFR Part 200: “Costs did not consist of improper payments, including (1) payments that should not have been made or that were made in incorrect amounts (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; (2) payments that do not account for credit for applicable discounts; (3) duplicate payments; (4) payments that were made to an ineligible party or for an ineligible good or service; and (5) payments for goods or services not received (except for such payments where authorized by law). Costs were necessary and reasonable for the performance of the Federal award and allocable under the principles of 2 CFR part 200, subpart E. Costs were adequately documented.” Condition: Benefits paid to or on behalf of the individuals were calculated correctly and in compliance with the requirements of the program. We noted benefits were not paid in accordance with 2 CFR Part 200 (1) during the testing of 40 payments to providers for eligibility and allowability, as follows: • For 1 of the 40 payments, records indicate the child was covered under a Child Protective Services (CPS) safety plan. However, the $3 daily supplement was not included in the calculation or paid, resulting in an underpayment of $170. • For 1 of the 40 payments, the provider requested payment and was paid for 13 non-traditional days, however records indicate only 11 of the 13 days were non-traditional, resulting in an overpayment of $12. Cause: Management indicated that the errors were due to caseworker oversight. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Payments were not given consistent treatment, potentially resulting in overpayment or underpayment to providers. Questioned Costs: $12 Assistance Listing # 93.575 (Grant Award 2301WVCCDF) Context: The total of all benefit payments tested was $25,385. Total provider payments for the CCDF Cluster for the fiscal year ended June 30, 2023 were $157,188,419. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate the effectiveness of the current training programs for the use of the Families and Children Tracking System (FACTS) (and subsequently West Virginia People's Access to Help (WV PATH) systems for CCDF payments). Furthermore, DHHR should follow established policies and procedures to ensure client information and the number of days are input correctly. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–045 SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT
Federal Program Information: Federal Agency and Program Name CFDA# U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/93.596 COVID-19 93.575, Grant Award 2201WVCCDD, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 states that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.” Lead Agencies shall recover child care payments that are the result of fraud. These payments shall be recovered from the party responsible for committing the fraud. (45 CFR section 98.60). Condition: Current policies indicate the DHHR refers potentially fraudulent payments to the Office of the Inspector General (OIG) for investigation. When an investigation results in a determination of fraud, a repayment plan is required to be established and tracked. However, documentation of the review of the listing of cases referred for investigation, including the status was not available. For one of the five closed investigations selected, a repayment plan was approved however repayments were not received and documentation of action taken was not available. For two of the five closed investigations selected, documentation for approval of the repayment plan, repayments received, or other follow-up action taken was not available. Therefore, the auditor was unable to reach a conclusion. Cause: Staff turnover in recent years in Departments responsible for this process caused inconsistencies in the way investigation of potentially fraudulent claims were identified, documented, and reported. Effect or Potential Effect: Payments resulting from fraud may not have been identified, and the proper procedures to establish repayment or recovery may not have occurred in a reasonable amount of time. Questioned Costs: $16,103 Context: Total federal expenditures for the CCDF Cluster for fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: The DHHR should work with the OIG to ensure its internal controls and policies and procedures are robust and include sufficient documentation of oversight and review to ensure fraudulent claims are identified and tracked beginning in the year of identification and continuing through the establishment and enforcement of repayment agreements. Additionally, status monitoring of cases referred for investigation should be documented, and follow-up completed timely. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–051 SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR 95.621 requires State Medicaid Agencies (SMAs) “shall review the Automated Data Processing (ADP) system security installations involved in the administration of the Secretary of the U.S. Department of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews.” States agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. As part of complying with the above requirement, a state may obtain a statement on Standards for Attestation Engagements (AT) Section 801, Reporting on Controls at a Service Organization Service Organization Control (SOC) 1 type 2 report from its service organization (if the state has a service organization). The specific areas covered by a SOC 1 type 2 report differ according to each individual service organization’s operations; however, in every instance, the type 2 report procedures assess the sufficiency of the design of an organization’s controls and test their effectiveness.
Condition: The West Virginia Department of Health & Human Resources (DHHR) utilizes two ADP systems related to Medicaid: RAPIDS and West Virginia’s Medicaid Management Information System (MMIS). DHHR does not have policies and procedures established to perform periodic risk assessments and security reviews over MMIS. As this system utilizes sub-systems (Health PAS Solution) with automated components that directly affect the Medicaid cluster of programs, it meets the criteria stated above from 45 CFR 95.621. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for MMIS annually, but DHHR did not sufficiently document their review of the service organization’s controls and overall effectiveness of each control, in order to meet the aforementioned criteria for conducting a periodic risk analysis over each ADP system, per 45 CFR 95.621. Cause: Management’s policies and procedures surrounding the review of the MMIS SOC 1 Type 2 report related to assessing risk and system security do not include the retention of documentation outlining what was reviewed and the results of the review. Effect or Potential Effect: There could be risks related to physical and data security operating procedures, and personnel practices that are not identified timely and appropriately addressed. Questioned Costs: N/A Context: The federal expenditures for the Medicaid program for the fiscal year ended June 30, 2022, were $4,622,001,554. Identification as a Repeat Finding: Prior Year Finding 2022–037 Recommendation: DHHR should enhance its policies and procedures related to the review of the MMIS SOC 1 Type 2 report to ensure that appropriate documentation is retained in order to meet the criteria of an ADP periodic risk assessment and security review of WVMMIS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–051 SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR 95.621 requires State Medicaid Agencies (SMAs) “shall review the Automated Data Processing (ADP) system security installations involved in the administration of the Secretary of the U.S. Department of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews.” States agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. As part of complying with the above requirement, a state may obtain a statement on Standards for Attestation Engagements (AT) Section 801, Reporting on Controls at a Service Organization Service Organization Control (SOC) 1 type 2 report from its service organization (if the state has a service organization). The specific areas covered by a SOC 1 type 2 report differ according to each individual service organization’s operations; however, in every instance, the type 2 report procedures assess the sufficiency of the design of an organization’s controls and test their effectiveness.
Condition: The West Virginia Department of Health & Human Resources (DHHR) utilizes two ADP systems related to Medicaid: RAPIDS and West Virginia’s Medicaid Management Information System (MMIS). DHHR does not have policies and procedures established to perform periodic risk assessments and security reviews over MMIS. As this system utilizes sub-systems (Health PAS Solution) with automated components that directly affect the Medicaid cluster of programs, it meets the criteria stated above from 45 CFR 95.621. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for MMIS annually, but DHHR did not sufficiently document their review of the service organization’s controls and overall effectiveness of each control, in order to meet the aforementioned criteria for conducting a periodic risk analysis over each ADP system, per 45 CFR 95.621. Cause: Management’s policies and procedures surrounding the review of the MMIS SOC 1 Type 2 report related to assessing risk and system security do not include the retention of documentation outlining what was reviewed and the results of the review. Effect or Potential Effect: There could be risks related to physical and data security operating procedures, and personnel practices that are not identified timely and appropriately addressed. Questioned Costs: N/A Context: The federal expenditures for the Medicaid program for the fiscal year ended June 30, 2022, were $4,622,001,554. Identification as a Repeat Finding: Prior Year Finding 2022–037 Recommendation: DHHR should enhance its policies and procedures related to the review of the MMIS SOC 1 Type 2 report to ensure that appropriate documentation is retained in order to meet the criteria of an ADP periodic risk assessment and security review of WVMMIS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–051 SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR 95.621 requires State Medicaid Agencies (SMAs) “shall review the Automated Data Processing (ADP) system security installations involved in the administration of the Secretary of the U.S. Department of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews.” States agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. As part of complying with the above requirement, a state may obtain a statement on Standards for Attestation Engagements (AT) Section 801, Reporting on Controls at a Service Organization Service Organization Control (SOC) 1 type 2 report from its service organization (if the state has a service organization). The specific areas covered by a SOC 1 type 2 report differ according to each individual service organization’s operations; however, in every instance, the type 2 report procedures assess the sufficiency of the design of an organization’s controls and test their effectiveness.
Condition: The West Virginia Department of Health & Human Resources (DHHR) utilizes two ADP systems related to Medicaid: RAPIDS and West Virginia’s Medicaid Management Information System (MMIS). DHHR does not have policies and procedures established to perform periodic risk assessments and security reviews over MMIS. As this system utilizes sub-systems (Health PAS Solution) with automated components that directly affect the Medicaid cluster of programs, it meets the criteria stated above from 45 CFR 95.621. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for MMIS annually, but DHHR did not sufficiently document their review of the service organization’s controls and overall effectiveness of each control, in order to meet the aforementioned criteria for conducting a periodic risk analysis over each ADP system, per 45 CFR 95.621. Cause: Management’s policies and procedures surrounding the review of the MMIS SOC 1 Type 2 report related to assessing risk and system security do not include the retention of documentation outlining what was reviewed and the results of the review. Effect or Potential Effect: There could be risks related to physical and data security operating procedures, and personnel practices that are not identified timely and appropriately addressed. Questioned Costs: N/A Context: The federal expenditures for the Medicaid program for the fiscal year ended June 30, 2022, were $4,622,001,554. Identification as a Repeat Finding: Prior Year Finding 2022–037 Recommendation: DHHR should enhance its policies and procedures related to the review of the MMIS SOC 1 Type 2 report to ensure that appropriate documentation is retained in order to meet the criteria of an ADP periodic risk assessment and security review of WVMMIS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–054 INTERNAL CONTROLS OVER TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 31 subawards selected for testing, the West Virginia Division of Emergency Management (DEM) did not review and approve the Federal Funding Accountability and Transparency Act (FFATA) reports that were submitted to Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Cause: DEM does not have adequate internal controls in place to ensure that subawards of $30,000 or more are being reported timely and accurately to FSRS. Effect or Potential Effect: DEM may report inaccurate or untimely information for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 and $65,999,232, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–042 and 2021–041 Recommendation: We recommend that DEM strengthen internal controls over FFATA reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–055 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(b) requires that all pass-through entities must: (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). 2 CFR 200.332(f) required that all pass-through entities must “verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in Section 200.501.” Condition: The School Building Authority (SBA) did not perform subrecipient risk assessments. Additionally, SBA did not verify if subrecipients subject to be audited per 2 CFR 200.332(f) were audited as required. Cause: SBA does not have proper policies and procedures in place surrounding the subrecipient monitoring compliance requirements. Effect or Potential Effect: SBA is not in compliance with the subrecipient monitoring compliance requirements. Questioned Costs: Unknown Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. SBA had two subrecipients with subrecipient expenditures totaling $45,615,370 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–043 Recommendation: We recommend that SBA implement policies and procedures surrounding subrecipient monitoring to ensure they are in compliance with the subrecipient monitoring compliance requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–056 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 40 payroll transactions selected for testing at the West Virginia Military Authority (the Authority), there was no documentation that the employee’s time worked was reviewed and approved. Cause: The Authority does not have adequate internal controls and policies and procedures in place to ensure all payroll transactions are reviewed and approved. Effect or Potential Effect: The Authority may not identify noncompliance with federal statues, regulations, and terms of the conditions of the federal award including allowability. Expenditures may be paid that are not allowable. Questioned Costs: N/A Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127, for the year ended June 30, 2023. Total payroll charged to the grant at the Authority was $2,221,140. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Authority implement controls to ensure that expenditures are properly reviewed and approved before being charged to a federal award. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–057 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Health and Human Resources (DHHR) paid invoices to a third party vendor that were approved for payment without verifying the invoices for accuracy. Cause: DHHR does not have proper internal controls in place to ensure that invoices are verified for accuracy prior to payment. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $3,464,213 Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR implement proper internal controls to ensure that all invoices are accurate. and costs are allowable under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–054 INTERNAL CONTROLS OVER TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 31 subawards selected for testing, the West Virginia Division of Emergency Management (DEM) did not review and approve the Federal Funding Accountability and Transparency Act (FFATA) reports that were submitted to Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Cause: DEM does not have adequate internal controls in place to ensure that subawards of $30,000 or more are being reported timely and accurately to FSRS. Effect or Potential Effect: DEM may report inaccurate or untimely information for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 and $65,999,232, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–042 and 2021–041 Recommendation: We recommend that DEM strengthen internal controls over FFATA reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–055 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(b) requires that all pass-through entities must: (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). 2 CFR 200.332(f) required that all pass-through entities must “verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in Section 200.501.” Condition: The School Building Authority (SBA) did not perform subrecipient risk assessments. Additionally, SBA did not verify if subrecipients subject to be audited per 2 CFR 200.332(f) were audited as required. Cause: SBA does not have proper policies and procedures in place surrounding the subrecipient monitoring compliance requirements. Effect or Potential Effect: SBA is not in compliance with the subrecipient monitoring compliance requirements. Questioned Costs: Unknown Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. SBA had two subrecipients with subrecipient expenditures totaling $45,615,370 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–043 Recommendation: We recommend that SBA implement policies and procedures surrounding subrecipient monitoring to ensure they are in compliance with the subrecipient monitoring compliance requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–056 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 40 payroll transactions selected for testing at the West Virginia Military Authority (the Authority), there was no documentation that the employee’s time worked was reviewed and approved. Cause: The Authority does not have adequate internal controls and policies and procedures in place to ensure all payroll transactions are reviewed and approved. Effect or Potential Effect: The Authority may not identify noncompliance with federal statues, regulations, and terms of the conditions of the federal award including allowability. Expenditures may be paid that are not allowable. Questioned Costs: N/A Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127, for the year ended June 30, 2023. Total payroll charged to the grant at the Authority was $2,221,140. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Authority implement controls to ensure that expenditures are properly reviewed and approved before being charged to a federal award. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–057 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Health and Human Resources (DHHR) paid invoices to a third party vendor that were approved for payment without verifying the invoices for accuracy. Cause: DHHR does not have proper internal controls in place to ensure that invoices are verified for accuracy prior to payment. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $3,464,213 Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR implement proper internal controls to ensure that all invoices are accurate. and costs are allowable under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–005 SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 7 CFR section 272.10 requires that State agencies “sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” This includes: (1) processing and storing all case file information necessary for eligibility determination and benefit calculation, identifying specific elements that affect eligibility, and notifying the certification unit of cases requiring notices of disposition, adverse action and mass change, and expiration; (2) providing an automatic cutoff of participation for households that have not been recertified at the end of their certification period by reapplying and being determined eligible for a new period; and (3) generating data necessary to meet federal issuance and reconciliation reporting requirements. Condition: The Department of Health and Human Resources (DHHR) uses the Recipient Automated Payment Information Data System (RAPIDS) as its Automated Data Processing (ADP) system for SNAP. Our testing of the controls surrounding eligibility determination noted that no independent review and approval is required in RAPIDS for case information input by the case worker. Further, it was noted that review and approval of disbursements only occurs at the batch level, which does not allow the independent reviewer to review each transaction individually. Data integrity is a critical for the automation SNAP operations. Due to limitations of the ADP system for SNAP, the auditor was unable to conclude whether or not the State’s ADP system for SNAP (i.e., RAPIDS) was in compliance with requirements of 7 CFR section 272.10. Cause: Controls within the RAPIDS system are not designed to sufficiently protect the integrity of data input into the system. Effect or Potential Effect: The information related to the operations of the SNAP Cluster may not be appropriately maintained, processed or transmitted by the ADP system. Questioned Costs: N/A Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–002 Recommendation: We recommend that management establish the appropriate segregation of duties related to the review and approval of eligibility applications, in order to maintain effective IT general controls over the RAPIDS ADP system for SNAP. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–006 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200 requires that costs do not consist of improper payments, defined as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments). An improper payment also includes any payment that was made to an ineligible recipient or for an ineligible good or service, or payments for goods or services not received (except for such payments authorized by law).” Condition: During our testing of 40 cases for allowability for SNAP, we noted one emergency supplemental allotment payment to a recipient for a month that was not allowable. Cause: Internal controls are not adequately designed or implemented to prevent non-compliance surrounding the issuance of SNAP benefits. Effect or Potential Effect: Disbursements to recipients could be made that are not allowable. Questioned Costs: $463 Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–003 Recommendation: DHHR should ensure that all compliance requirements are reviewed to ensure the benefit amounts are accurate prior to disbursement. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–005 SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 7 CFR section 272.10 requires that State agencies “sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” This includes: (1) processing and storing all case file information necessary for eligibility determination and benefit calculation, identifying specific elements that affect eligibility, and notifying the certification unit of cases requiring notices of disposition, adverse action and mass change, and expiration; (2) providing an automatic cutoff of participation for households that have not been recertified at the end of their certification period by reapplying and being determined eligible for a new period; and (3) generating data necessary to meet federal issuance and reconciliation reporting requirements. Condition: The Department of Health and Human Resources (DHHR) uses the Recipient Automated Payment Information Data System (RAPIDS) as its Automated Data Processing (ADP) system for SNAP. Our testing of the controls surrounding eligibility determination noted that no independent review and approval is required in RAPIDS for case information input by the case worker. Further, it was noted that review and approval of disbursements only occurs at the batch level, which does not allow the independent reviewer to review each transaction individually. Data integrity is a critical for the automation SNAP operations. Due to limitations of the ADP system for SNAP, the auditor was unable to conclude whether or not the State’s ADP system for SNAP (i.e., RAPIDS) was in compliance with requirements of 7 CFR section 272.10. Cause: Controls within the RAPIDS system are not designed to sufficiently protect the integrity of data input into the system. Effect or Potential Effect: The information related to the operations of the SNAP Cluster may not be appropriately maintained, processed or transmitted by the ADP system. Questioned Costs: N/A Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–002 Recommendation: We recommend that management establish the appropriate segregation of duties related to the review and approval of eligibility applications, in order to maintain effective IT general controls over the RAPIDS ADP system for SNAP. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–006 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200 requires that costs do not consist of improper payments, defined as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments). An improper payment also includes any payment that was made to an ineligible recipient or for an ineligible good or service, or payments for goods or services not received (except for such payments authorized by law).” Condition: During our testing of 40 cases for allowability for SNAP, we noted one emergency supplemental allotment payment to a recipient for a month that was not allowable. Cause: Internal controls are not adequately designed or implemented to prevent non-compliance surrounding the issuance of SNAP benefits. Effect or Potential Effect: Disbursements to recipients could be made that are not allowable. Questioned Costs: $463 Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–003 Recommendation: DHHR should ensure that all compliance requirements are reviewed to ensure the benefit amounts are accurate prior to disbursement. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–005 SPECIAL TESTS AND PROVISIONS – ADP SYSTEM FOR SNAP
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 7 CFR section 272.10 requires that State agencies “sufficiently automate their SNAP operations and computerize their systems for obtaining, maintaining, utilizing, and transmitting information concerning SNAP.” This includes: (1) processing and storing all case file information necessary for eligibility determination and benefit calculation, identifying specific elements that affect eligibility, and notifying the certification unit of cases requiring notices of disposition, adverse action and mass change, and expiration; (2) providing an automatic cutoff of participation for households that have not been recertified at the end of their certification period by reapplying and being determined eligible for a new period; and (3) generating data necessary to meet federal issuance and reconciliation reporting requirements. Condition: The Department of Health and Human Resources (DHHR) uses the Recipient Automated Payment Information Data System (RAPIDS) as its Automated Data Processing (ADP) system for SNAP. Our testing of the controls surrounding eligibility determination noted that no independent review and approval is required in RAPIDS for case information input by the case worker. Further, it was noted that review and approval of disbursements only occurs at the batch level, which does not allow the independent reviewer to review each transaction individually. Data integrity is a critical for the automation SNAP operations. Due to limitations of the ADP system for SNAP, the auditor was unable to conclude whether or not the State’s ADP system for SNAP (i.e., RAPIDS) was in compliance with requirements of 7 CFR section 272.10. Cause: Controls within the RAPIDS system are not designed to sufficiently protect the integrity of data input into the system. Effect or Potential Effect: The information related to the operations of the SNAP Cluster may not be appropriately maintained, processed or transmitted by the ADP system. Questioned Costs: N/A Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–002 Recommendation: We recommend that management establish the appropriate segregation of duties related to the review and approval of eligibility applications, in order to maintain effective IT general controls over the RAPIDS ADP system for SNAP. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–006 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200 requires that costs do not consist of improper payments, defined as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments). An improper payment also includes any payment that was made to an ineligible recipient or for an ineligible good or service, or payments for goods or services not received (except for such payments authorized by law).” Condition: During our testing of 40 cases for allowability for SNAP, we noted one emergency supplemental allotment payment to a recipient for a month that was not allowable. Cause: Internal controls are not adequately designed or implemented to prevent non-compliance surrounding the issuance of SNAP benefits. Effect or Potential Effect: Disbursements to recipients could be made that are not allowable. Questioned Costs: $463 Context: Total federal expenditures for the SNAP Cluster were $884,947,739 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–003 Recommendation: DHHR should ensure that all compliance requirements are reviewed to ensure the benefit amounts are accurate prior to disbursement. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–007 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education Child Nutrition Cluster 10.553/10.555/10.556/10.559/10.582
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: The West Virginia Department of Education is a prime recipient of funding for the Child Nutrition Cluster and made first tier subawards of greater than $30,000, but did not file any of the necessary Federal Funding Accountability and Transparency Act (FFATA) reports. Cause: Policies and procedures and internal controls were not in place to ensure compliance with the Transparency Act. Effect or Potential Effect: West Virginia Department of Education management did not report the necessary FFATA reports for first tier subawards over $30,000 to The FFATA Subaward Reporting System. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Child Nutrition Cluster were $197,977,921 and $197,522,202, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–004 Recommendation: We recommend that West Virginia Department of Education management take immediate action to ensure compliance with the reporting requirements of the FFATA. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–008 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Housing and Urban Development Community Development Block Grants/State’s Program and Non-Entitlement Gants in Hawaii 14.228, Grant Award B15DC540001, Grant Award B16DL540001 #2, Grant Award B15DC540001, Grant Award B16DC540001, Grant Award B17DC540001, Grant Award B18DC540001, Grant Award B19DC540001, Grant Award B20DC540001, Grant Award B20DW540001, Grant Award B21DC540001 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that the reports were not submitted by the State of West Virginia Community Development Block Grant program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting requirements by CDBG management caused the reports required for first-tier subawards over $30,000 to not be submitted timely to the FFATA Subaward Reporting System, and to have missing/incorrect information reported. Effect or Potential Effect: CDBG management did not report the necessary FFATA reports for first-tier subawards over $30,000 to The FFATA Subaward Reporting System accurately or in a timely fashion. Questioned Costs: N/A Context: Subawards for the CDBG program included 19 subawards that totaled $21,829,101 for the year ended June 30, 2023. The five subawards tested that were not reported to the FFATA Subaward Reporting System timely were $18,302,375. Total expenditures for the CDBG program were $29,946,440 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–005 Recommendation: We recommend that CDBG management take immediate action to ensure compliance with the reporting requirements of the Federal Funding Accountability and Transparency Act, which includes the timely submission of the reports and accurate information. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–008 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Housing and Urban Development Community Development Block Grants/State’s Program and Non-Entitlement Gants in Hawaii 14.228, Grant Award B15DC540001, Grant Award B16DL540001 #2, Grant Award B15DC540001, Grant Award B16DC540001, Grant Award B17DC540001, Grant Award B18DC540001, Grant Award B19DC540001, Grant Award B20DC540001, Grant Award B20DW540001, Grant Award B21DC540001 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that the reports were not submitted by the State of West Virginia Community Development Block Grant program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting requirements by CDBG management caused the reports required for first-tier subawards over $30,000 to not be submitted timely to the FFATA Subaward Reporting System, and to have missing/incorrect information reported. Effect or Potential Effect: CDBG management did not report the necessary FFATA reports for first-tier subawards over $30,000 to The FFATA Subaward Reporting System accurately or in a timely fashion. Questioned Costs: N/A Context: Subawards for the CDBG program included 19 subawards that totaled $21,829,101 for the year ended June 30, 2023. The five subawards tested that were not reported to the FFATA Subaward Reporting System timely were $18,302,375. Total expenditures for the CDBG program were $29,946,440 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–005 Recommendation: We recommend that CDBG management take immediate action to ensure compliance with the reporting requirements of the Federal Funding Accountability and Transparency Act, which includes the timely submission of the reports and accurate information. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–009 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020, Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: For three of four subawards selected for testing, the West Virginia Department of Environmental Protection (the Department) was not in compliance with FFATA reporting requirements. The following table summarizes the exceptions noted during testing. There were no internal controls in place surrounding review and approval of the FFATA reports. Cause: The Department does not have adequate internal controls and policies and procedures in place to ensure that subawards of $30,000 or more are being reported accurately to FSRS. Effect or Potential Effect: The Department is not reporting accurate information for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Abandoned Mine Land Reclamation (AMLR) Grants program were $29,631,143 and $12,283,714, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–010 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020, Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.302(b)(2) “Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §§ 200.328 and 200.329.” Condition: The West Virginia Department of Environmental Protection (the Department) is responsible for preparing the SF-425 and SF-425A. There were errors in reporting on the SF-425 reports where receipts and disbursements reported did not agree to the underlying data used to prepare the reports. In addition, the Department did not file the SF-425A reports as required. There were no internal controls in place surrounding review and approval of the financial reports. Cause: The Department does not have adequate internal controls and policies and procedures in place to ensure that reports contain accurate financial information and are submitted as required. Effect or Potential Effect: The Department is not reporting accurate information for the SF-425 reports and is not submitting the SF-425A reports causing them not to be in compliance with federal reporting requirements over financial reports. Questioned Costs: Unknown Context: We selected five SF-425 reports for testing and noted errors in all the reports. We selected five SF-425A reports for testing and noted the reports were not filed. Total federal expenditures for the AMLR Grants program were $29,631,143 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department strengthen internal controls and policies and procedures over financial reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–011 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020, Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(b) requires that all pass-through entities must: (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). Condition: We noted that the West Virginia Department of Environmental Protection (the Department) did not perform a subrecipient risk assessment. Therefore, the Department was unable to provide documentation supporting that the level of monitoring to be completed for each subrecipient was appropriate based on the risk assessment. Cause: The Department does not have policies and procedures in place surrounding the subrecipient monitoring compliance requirements and a risk assessment of subrecipients was not performed during the current fiscal year. Effect or Potential Effect: The Department does not have proper internal controls in place to ensure risk assessments are performed annually for all subrecipients. Questioned Costs: Unknown Context: Total federal expenditures and total subrecipient expenditures for the AMLR Grants program were $29,631,143 and $12,283,714, respectively, for the year ended June 30, 2023. There were 24 subrecipients during the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department implement written policies and procedures to perform an annual risk assessment of subrecipients to determine the proper extent of monitoring procedures. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–012 REPORTING - SCHEDULE OF EXPENDITURES OF FEDERAL AWARDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of the Interior Abandoned Mine Land Reclamation (AMLR) Grants 15.252, Grant Award S16AF20058, Grant Award S18AF20000, Grant Award S19AF20000, Grant Award S19AF20020. Grant Award S20AF20008, Grant Award S20AF20038, Grant Award S20AF20094, Grant Award S21AF10040, Grant Award S22AF00013, Grant Award S22AF00039, Grant Award S23AF00013, Grant Award S23AF00059, Grant Award S23AF00107 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Uniform Guidance 2 CFR section 200.510 states, “(b) Schedule of expenditures of Federal awards. The auditee must also prepare a schedule of expenditures of federal awards (SEFA) for the period covered by the auditee’s financial statements which must include the total Federal awards expended as determined in accordance with §200.502 Basis for determining Federal awards expended.” Condition: The West Virginia Department of Environmental Protection (the Department)’s internal controls are not adequate to ensure the Schedule of Expenditures of Federal Awards (SEFA) accurately reports all federal assistance. The Department’s SEFA for fiscal year 2023 under the Abandoned Mine Land Reclamation (AMLR) Grants program excluded indirect costs preliminary SEFA. Cause: The internal controls over the SEFA reporting processes were not operating effectively to ensure the SEFA included indirect costs. Effect or Potential Effect: The Department is not properly reporting their federal expenditures and major programs may not be appropriately identified. Questioned Costs: N/A Context: Total indirect costs for fiscal 2023, totaling $1,592,074, were incorrectly excluded from the SEFA. Management corrected the final SEFA. Total federal expenditures for the AMLR Grants program were $31,223,217 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Department ensure staff responsible for the preparation of the SEFA be provided guidance on recording indirect expenses on the SEFA and the SEFA be reviewed and approved by supervising personnel. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–013 INTERNAL CONTROLS OVER INFORMATION TECHNOLOGY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Labor Unemployment Insurance (UI) 17.225, Grant Award UI-38244-22-55-A-54, Grant Award UI-34749-20-55-A-54, Grant Award UI-39304-23-55-A-54, Grant Award UI-37257-22-55-A-54, Grant Award UI-39356-23-55-A-54, Grant Award UI-38014-22-60-A-54
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Workforce West Virginia (WWV) does not perform periodic documented reviews of administrator access changes to the Automated Benefit Payment System (ABPS) or the Unemployment Compensation Tax applications (UC Tax). A user access review is performed periodically for ABPS and UC Tax, however the review is not documented. Employee terminations were not being communicated timely to the West Virginia Office of Technology (WVOT) to remove network access or within the organization to remove access to ABPS and UC Tax. The current process to remove terminated employees does not allow for the documentation of all applications requiring access removal. WWV has not performed periodic disaster recovery testing for WWV owned applications. WWV did not perform a timely review of the SOC report for wvOASIS and documentation did not include reviewing and determining if the required complementary user entity controls were in place. Additionally, complementary user entity controls were not in place. Cause: The internal controls over the information technology processes were not adequately designed or implemented. Effect or Potential Effect: Unauthorized access to critical information systems may occur and not be detected or resolved in a timely manner causing WWV to be in noncompliance.
WWV may not be able to effectively respond to a disaster and recover pertinent data. Questioned Costs: N/A Context: Total federal disbursements for the UI program were $138,362,181 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–008 and 2021–005 Recommendation: WWV should implement policies and procedures that include monitoring the information systems and systems controls reports. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–014 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Labor Unemployment Insurance (UI) 17.225, Grant Award UI-38244-22-55-A-54, Grant Award UI-34749-20-55-A-54, Grant Award UI-39304-23-55-A-54, Grant Award UI-37257-22-55-A-54, Grant Award UI-9356-23-55-A-54, Grant Award UI-38014-22-60-A-54 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The following reports tested were not reviewed and approved prior to submission: 1) ) one of the four Employment and Training Administration “ETA” 9050 reports 2) two of the four ETA 9052 reports, and 3) one of the four ETA 9055 reports. Cause: The internal controls over the individual reporting processes were not adequately enforced or documented. Effect and Potential Effect: Reports could be filed with errors or lack of supporting documentation and not be identified by management. Questioned Costs: N/A Context: Total federal disbursements for the UI program were $138,362,181 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–007 and 2021–006 Recommendation: We recommend that WWV implement internal controls over the report submission process, to ensure each report is reviewed and approved by appropriate individuals familiar with the reporting requirements to ensure that accurate information is reported. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–015 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Transportation National Infrastructure Investments 20.933, Grant Award 693JJ22040000BDG0WV0522045, Grant Award 693JJ22040000BDG0WV0484326, Grant Award 693JJ22140000BDG3WV0641399, Grant Award 693JJ22240000BDG6WV0793309 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The terms and conditions of the grant awards require the recipient to submit various financial and performance reports, including Quarterly Project Progress Reports and Pre-Project Performance Measurement Reports. Condition: The West Virginia Division of Highways (the Division) could not provide documentation that the Quarterly Project Progress Reports and Pre-project Performance Measurement Report, that were required to be submitted during the fiscal year under audit, were filed. Cause: The Division does not have proper policies and procedures in place surrounding the reporting compliance requirements. Effect or Potential Effect: The Division could not provide documentation that required reports were submitted to the federal awarding agency in accordance with the grant awards. Questioned Costs: Unknown Context: There was one Pre-project Performance Measurement Report and 15 Quarterly Project Progress Reports required to be filed in fiscal year 2023. Total federal expenditures for the National Infrastructure Investments program were $35,831,611 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Division implement policies and procedures surrounding reporting to ensure compliance with all conditions of the grant awards. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–016 SPECIAL TESTS AND PROVISIONS - NOTIFICATION OF CHANGES TO KEY PERSONNEL
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Transportation National Infrastructure Investments 20.933, Grant Award 693JJ22040000BDG0WV0522045, Grant Award 693JJ22040000BDG0WV0484326, Grant Award 693JJ22140000BDG3WV0641399, Grant Award 693JJ22240000BDG6WV0793309 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The terms and conditions of the grant awards require the recipient to notify all U.S. Department of Transportation (USDOT) representatives, noted in the grant agreement, in writing within 30 calendar days of any change in key personnel. Condition: The West Virginia Division of Highways (the Division) could not provide documentation that the USDOT was made aware of changes in key personnel within 30 calendar days. Cause: The Division does not have proper policies and procedures in place over the notification of changes to key personnel requirements. Effect or Potential Effect: The Division is not in compliance with the provisions of the grant awards since changes to key personnel were not communicated in writing to the USDOT within 30 calendar days. Questioned Costs: Unknown Context: There were three grants that had a change in key personnel; the change in key personnel was not communicated to the USDOT. Total federal expenditures for the National Infrastructure Investments program were $35,831,611 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Division implement policies and procedures surrounding the notification of changes to key personnel requirements to ensure compliance with all conditions of the grant awards. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–025 SPECIAL TESTS AND PROVISIONS – PERKINS LOAN RECORDKEEPING AND RECORD RETENTION (N7)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.038
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” As stated in the 2023 OMB Compliance Supplement (34 CFR 674.19), “when an institution uses a third-party servicer for its Perkins Loan program, the institution must perform due diligence to ensure that the third-party servicer is in compliance with the requirements for the functions the third-party servicer is performing for the institution. Such due diligence could include obtaining and reviewing the third-party servicer’s most recent Title IV compliance audit.” 34 CFR 674.19(e)(2) states “an institution shall retain a record of disbursements for each loan made to a borrower on a Master Promissory Note (MPN). This record must show the date and amount of each disbursement.” 34 CFR 674.19(e)(4) states “Manner of retention of promissory notes and repayment schedules. An institution shall keep the original promissory notes and repayment schedules until the loans are satisfied. If required to release original documents in order to enforce the loan, the institution must retain certified true copies of those documents. (i) An institution shall keep the original paper promissory note or original paper MPN and repayment schedules in a locked, fireproof container. (ii) If a promissory note was signed electronically, the institution must store it electronically and the promissory note must be retrievable in a coherent format. An original electronically signed MPN must be retained by the institution for 3 years after all the loans made on the MPN are satisfied. (iii) After the loan obligation is satisfied, the institution shall return the original or a true and exact copy of the note marked “paid in full” to the borrower, or otherwise notify the borrower in writing that the loan is paid in full, and retain a copy for the prescribed period.” Condition: Concord University (CU), Marshall University (MU), Shepherd University (SU), West Liberty University (WLU), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University (WVU) did not maintain sufficient evidence of the due diligence review performed over their third-party servicer of its Federal Perkins Loan Program portfolio. While the schools obtained the third-party servicer’s Title IV compliance audit report, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2), the schools did not retain documentation showing what specific items were reviewed or what conclusions were reached related to the servicers compliance with the requirements they were contracted for. For six of 40 Perkins loans sampled, WVU could not provide a copy of the MPN. Cause: CU, MU, SU, WLU, WVSOM and WVU did not have effective internal controls in place requiring retention of the due diligence review performed. WVU did not have adequate internal controls in place over the retention of Perkins loan records, specifically, MPNs. Effect or Potential Effect: The third-party servicer could be out of compliance with federal regulations and have ineffective internal controls which could impact the school’s compliance with the Federal Perkins Loan Program requirements. In addition, WVU is in noncompliance with federal Perkins loan recordkeeping and record retention requirements. Questioned Costs: None Context: CU, MU, SU, WLU, WVSOM, and WVU had Federal Perkins Loan Program expenditures of $1,096,355, $2,246,751, $60,304, $1,076,806, $482,984, and $8,147,751, respectively. Total Federal Perkins Loan Program expenditures were $13,183,684 for the year ended June 30, 2023. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should retain all relevant documentation used in performing the due diligence review, including the specific items reviewed and the conclusions reached. In addition, WVU should ensure it is retaining the required Perkins loan program records for the timeframe required per federal regulations. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–018 INTERNAL CONTROLS OVER FINANCIAL REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: In our control testing, Pierpont Community and Technical College (PCTC) could not provide adequate documentation of controls in place over Pell Common Origination and Disbursement (COD) reconciliations conducted prior to October 2022 to ensure the data reported is complete, accurate, and prepared in accordance with the required instructions. Effective controls were implemented with the reconciliation for October and remained in effect the remainder of the audit period. Cause: PCTC’s policies and procedures did not require adequate documentation be maintained to demonstrate that controls are operating effectively prior to October 2022. Effect or Potential Effect: The U.S. Department of Education could receive incorrect Pell or Direct Loan payment data. Questioned Costs: N/A Context: Total Direct Loans and Pell expenditures for PCTC were $4,201,839 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–014 and 2021–020 Recommendation: We recommend that PCTC continues to use the policies and procedures implemented for reconciliations performed for October 2022 and after. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–026 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – ENROLLMENT REPORTING (N5)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Internal controls over the review and approval of the enrollment report sent to the National Student Clearinghouse (NSC) were not adequately designed or operating effectively for Bluefield State University (BSU), Blueridge Community and Technical College (BRCTC), Concord University (CU), Fairmont State University (FSU), Marshall University (MU), Mountwest Community and Technical College (MCTC), New River Community and Technical College (NRCTC), Pierpont Community and Technical College (PPCTC), Shepherd University (SU), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia State University (WVSU), West Virginia University (WVU), and West Virginia University at Parkersburg (WVUP). For the enrollment reporting transmissions tested for internal controls, we noted the following: * Final review and approval signoff to submit the enrollment report to NSC, the third-party used in the enrollment reporting process, was not consistently retained by the institution (BSU, BRCTC, PCTC, WLU, WVNCC, WVSU) * A record count reconciliation between the final enrollment report, text file and the number of files received by the NSC, including documentation over how any rejected records were addressed, was not retained. (BSU, BRCTC, CU, FSU, MU, MCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVU, WVUP) * Details of the validation of student information included in the enrollment report for accuracy was not consistently retained by the institution. (BSU, FSU, MU, MCTC, NRCTC, WVSU) * The NSC automated emails used as a quality checklist regarding due dates, receipt of the text file by the NSC, availability and completion of the Error Resolution Report, and confirmation of certification and processing by the NSC were not consistently retained by the institution (BSU, BRCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVUP) Cause: The institutions did not have adequately designed internal controls in place surrounding the enrollment reporting process. Effect or Potential Effect: The institutions may not promptly notify the National Student Loan Data System (NSLDS) of changes in student status in an accurate and complete manner; thus, inaccurate, or incomplete information could be reported to the NSLDS. Questioned Costs: None Context: The total expenditures for the SFA Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–012 and 2021–016 Recommendation: Documentation over the review and approval of the enrollment report for accuracy and completeness should be retained to evidence the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–018 INTERNAL CONTROLS OVER FINANCIAL REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: In our control testing, Pierpont Community and Technical College (PCTC) could not provide adequate documentation of controls in place over Pell Common Origination and Disbursement (COD) reconciliations conducted prior to October 2022 to ensure the data reported is complete, accurate, and prepared in accordance with the required instructions. Effective controls were implemented with the reconciliation for October and remained in effect the remainder of the audit period. Cause: PCTC’s policies and procedures did not require adequate documentation be maintained to demonstrate that controls are operating effectively prior to October 2022. Effect or Potential Effect: The U.S. Department of Education could receive incorrect Pell or Direct Loan payment data. Questioned Costs: N/A Context: Total Direct Loans and Pell expenditures for PCTC were $4,201,839 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–014 and 2021–020 Recommendation: We recommend that PCTC continues to use the policies and procedures implemented for reconciliations performed for October 2022 and after. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–022 SPECIAL TESTS AND PROVISIONS – RETURN OF TITLE IV FUNDS (N4)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR section 668.173(b) requires timely return of title IV, HEA program funds. “In accordance with procedures established by the Secretary or FFEL Program lender, an institution returns unearned title IV, HEA program funds timely if - (1) The institution deposits or transfers the funds into the bank account it maintains under § 668.163 no later than 45 days after the date it determines that the student withdrew; (2) The institution initiates an electronic funds transfer (EFT) no later than 45 days after the date it determines that the student withdrew; (3) The institution initiates an electronic transaction, no later than 45 days after the date it determines that the student withdrew, that informs a FFEL lender to adjust the borrower’s loan account for the amount returned; or (4) The institution issues a check no later than 45 days after the date it determines that the student withdrew. An institution does not satisfy this requirement if - (i) The institution’s records show that the check was issued more than 45 days after the date the institution determined that the student withdrew; or (ii) The date on the cancelled check shows that the bank used by the Secretary or FFEL Program lender endorsed that check more than 60 days after the date the institution determined that the student withdrew.” Condition: Blue Ridge Community and Technical College (BRCTC), Mountwest Career & Technical College (MCTC), Pierpont Community and Technical College (PCTC), and West Virginia Northern Community College (WVNCC) were unable to provide adequate documentation showing they maintained an effective review process over the returns of Title IV funds. In addition, for Bluefield State University (BSU) it was noted during compliance testing that certain amounts to be returned were not returned timely. Cause: The institutions do not have adequate internal controls in place over the return of Title IV funds to prevent noncompliance. Effect or Potential Effect: The institutions may not be returning the correct amount of federal student financial assistance required or the funds are not returned within the required time frame to the United States Department of Education. Questioned Costs: None Context: In 11 of 29 instances of internal control testing at BRCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. The support documentation provided did not include any evidence of review. In 19 of 22 instances of internal control testing at MCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. MCTC relied on application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, the support documentation provided did not include sufficient evidence of review. In 2 of 18 instances in internal control testing at PCTC, we noted that the internal control was not sufficiently documented or not functioning effectively. In addition, the return to Title IV funds was not completed within the required 45-day timeframe. In all 20 instances of internal control testing at WVNCC, we noted that the internal control was not sufficiently documented or not functioning effectively. WVNCC relied on the application controls within the Banner system, which has been determined to have ineffective ITGCs. Additionally, there was no evidence of review of the calculation in the support documentation provided. In one of 40 returns tested for compliance, we noted that one return related to BSU was not completed within the required 45-day timeframe. Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, MCTC, PCTC, and WVNCC were $5,084,582, $7,651,688, $4,467,631, $4,388,461, and $3,090,314, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643 Identification as a Repeat Finding: Prior Year Findings 2022–011 and 2021–015 Recommendation: Management should implement internal controls to ensure that the correct amount of federal student financial assistance is returned and returned within the required time frame. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–023 INTERNAL CONTROLS OVER CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: For the period July 2022 – January 2023 at Fairmont State University (FSU), there was no second level review of drawdown requests for accuracy, completeness and agreement to the underlying books and records of the institution. Bluefield State University (BSU) did not retain evidence of the review and approval for one of seven drawdown requests selected for internal control testing. Mountwest Community and Technical College (MCTC) did not have evidence of the review control related to cash management. Three of the 15 drawdown requests selected for internal control testing did not have proper approval prior to the drawdowns. West Virginia Northern Community College (WVNCC) did not retain evidence of the review and approval for seven of 12 drawdown requests selected for control testing. Cause: For FSU, one individual was responsible for preparing the drawdown request and making the drawdown through the U.S. Department of Education’s G5 payment management system. Internal controls were not implemented until February 2023. BSU, MCTC, and WVNCC have policies and procedures in place to review the drawdowns prior to requesting from the U.S. Department of Education’s G5 payment management system; however, the policies and procedures were not followed for these drawdowns. Effect or Potential Effect: Drawdowns could be inaccurate, incomplete, and not agree to underlying books and records of the institution. Questioned Costs: None Context: Total BSU, FSU, MCTC, and WVNCC expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $7,651,688, $17,584,932, and $4,467,631, and $3,090,314 respectively. Total Student Financial Assistance Cluster expenditures were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: For FSU, management should continue to follow internal controls implemented in February 2023 requiring a second level review of drawdown requests. For BSU, MCTC, and WVNCC, management should follow established policies, procedures and internal controls for the review and approval of drawdown requests. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–026 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – ENROLLMENT REPORTING (N5)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.063/84.268
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: Internal controls over the review and approval of the enrollment report sent to the National Student Clearinghouse (NSC) were not adequately designed or operating effectively for Bluefield State University (BSU), Blueridge Community and Technical College (BRCTC), Concord University (CU), Fairmont State University (FSU), Marshall University (MU), Mountwest Community and Technical College (MCTC), New River Community and Technical College (NRCTC), Pierpont Community and Technical College (PPCTC), Shepherd University (SU), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia State University (WVSU), West Virginia University (WVU), and West Virginia University at Parkersburg (WVUP). For the enrollment reporting transmissions tested for internal controls, we noted the following: * Final review and approval signoff to submit the enrollment report to NSC, the third-party used in the enrollment reporting process, was not consistently retained by the institution (BSU, BRCTC, PCTC, WLU, WVNCC, WVSU) * A record count reconciliation between the final enrollment report, text file and the number of files received by the NSC, including documentation over how any rejected records were addressed, was not retained. (BSU, BRCTC, CU, FSU, MU, MCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVU, WVUP) * Details of the validation of student information included in the enrollment report for accuracy was not consistently retained by the institution. (BSU, FSU, MU, MCTC, NRCTC, WVSU) * The NSC automated emails used as a quality checklist regarding due dates, receipt of the text file by the NSC, availability and completion of the Error Resolution Report, and confirmation of certification and processing by the NSC were not consistently retained by the institution (BSU, BRCTC, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, WVUP) Cause: The institutions did not have adequately designed internal controls in place surrounding the enrollment reporting process. Effect or Potential Effect: The institutions may not promptly notify the National Student Loan Data System (NSLDS) of changes in student status in an accurate and complete manner; thus, inaccurate, or incomplete information could be reported to the NSLDS. Questioned Costs: None Context: The total expenditures for the SFA Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–012 and 2021–016 Recommendation: Documentation over the review and approval of the enrollment report for accuracy and completeness should be retained to evidence the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–028 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF) ESF Section 1 – Elementary and Secondary Education COVID-19 84.425C COVID-19 84.425D
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that eight (8) reports were not submitted by the State of West Virginia. In addition, for 1 of the 9 reports that was submitted, there was not adequate documentation to support an appropriate level of review and approval of the FFATA report.
Cause: The original grant funding from the U.S. Department of Education was received by the Office of the Governors of the State of West Virginia. These funds were in turn passed through to the State of West Virginia Department of Education (WVDE) which subsequently passed through a portion of the funding to the Local Educational Agencies (subrecipients). WVDE did not notify the Office of the Governor that the monies were passed to subrecipients and the FAFTA report was not filed. In addition, documentation to support internal controls review was not provided for the 1 report that was submitted during the year. Effect or Potential Effect: The State of West Virginia did not report the necessary FFATA report for the Education Stabilization Fund first-tier subawards over $30,000 to the FFATA Subaward Reporting System. Questioned Costs: N/A Context: We tested 9 FFATA reports related to subawards with grant funding amount of $4,030,511. of which 8 FFATA reports were not submitted that totaled $2,750,250. The federal expenditures for the Education Stabilization Fund program for the fiscal year ended June 30, 2023 were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022–025 Recommendation: We recommend that WVDE strengthen internal controls and procedures over communication with the Office of the Governor related to FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–028 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF) ESF Section 1 – Elementary and Secondary Education COVID-19 84.425C COVID-19 84.425D
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that eight (8) reports were not submitted by the State of West Virginia. In addition, for 1 of the 9 reports that was submitted, there was not adequate documentation to support an appropriate level of review and approval of the FFATA report.
Cause: The original grant funding from the U.S. Department of Education was received by the Office of the Governors of the State of West Virginia. These funds were in turn passed through to the State of West Virginia Department of Education (WVDE) which subsequently passed through a portion of the funding to the Local Educational Agencies (subrecipients). WVDE did not notify the Office of the Governor that the monies were passed to subrecipients and the FAFTA report was not filed. In addition, documentation to support internal controls review was not provided for the 1 report that was submitted during the year. Effect or Potential Effect: The State of West Virginia did not report the necessary FFATA report for the Education Stabilization Fund first-tier subawards over $30,000 to the FFATA Subaward Reporting System. Questioned Costs: N/A Context: We tested 9 FFATA reports related to subawards with grant funding amount of $4,030,511. of which 8 FFATA reports were not submitted that totaled $2,750,250. The federal expenditures for the Education Stabilization Fund program for the fiscal year ended June 30, 2023 were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022–025 Recommendation: We recommend that WVDE strengthen internal controls and procedures over communication with the Office of the Governor related to FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–030 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425U; Grant Award – S425U210036, Grant Award – S425D210036, Grant Award – S425D200036 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Department of Education must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Education (WVDE) paid a Local Educational Agency invoice amounting to $566,340 for which the good or service was not received or was only partially received. Cause: WVDE paid invoices to a Local Educational Agency that has not followed the appropriate procurement procedures. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $566,340 Context: Total federal expenditures for the Education Stabilization Fund program were $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that WVDE strengthen its internal controls over subrecipient monitoring to ensure that all invoices are accurate and that costs are for appropriately procured and eligible good or service under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–033 CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425E, F, J; Grant Award P425J200063, Grant Award P425E201113, Grant Award P425F201736, Grant Award P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” For CRRSAA, HEERF II and ARP HEERF III, the Certification and Agreements and/or Supplemental Agreements requires that Student Aid Portion (Assistance Listing 84.425E) should be disbursed within 15 calendar days of the drawdown from ED’s G5 grants system and Institutional Aid Portion, (a)(2), and (a)(3) funds (all other ALNs) should be disbursed within three calendar days of the drawdown from G5. For lost revenue, the “obligation” occurs on the date the institution completes its estimate of its amount of lost revenue after the estimation period. Condition: For three disbursement samples for Bluefield State College (BSC) we noted that the disbursements did not occur within 3 calendar days of the drawdown from ED’s G5 grants system. In addition, during our review of the schedule of expenditures of federal awards, we noted West Virginia State University (WVSU) had an ending cash balance of $397,412 at June 30, 2023. Cause: BSC incurred the expenses and performed the drawdown from the ED’s G5 grants system. Three of the expenses were paid by the State of West Virginia on behalf of Bluefield State College and these expenses were initially rejected by the State auditor and while subsequently resolved and paid, the timing caused the time lag between the drawdown date and the payment date to be outside of the allowed 3 calendar days. WVSU did not have adequate internal controls in place to ensure a thorough review of cash balance on hand was performed prior to performing drawdowns from the ED’s G5 grants system. Effect or Potential Effect: BSC was not incompliance with the requirement to disburse funds within 3 days of the drawdown from G5. WVSU has over drawn funds under the HEERF program resulting in an ending cash balance at June 30, 2023. Consequently, this resulted in a violation of the cash management rules. Questioned Costs: $397,412 (Grant Award No’s: P425E201113, P425F201736, P425J200056 Context: Total BSC expenditures for the HEERF were $5,959,981 and the total WVSU expenditures for the HEERF were $13,084,264 representing 1.8% and 4.0%, respectively of the total Education Stabilization Fund and HEERF (84.425) expenditures of $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–024 Recommendation: Management of BSC and WVSU should enhance its internal controls to ensure funds are disbursed within the stipulated time frame and/or drawdown funds after the expenditures have been disbursed. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–032 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425F, Grant Award P425F201180 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our testing of allowability at West Liberty University (WLU), we noted $1,017,478 was disbursed in student aid payments from the HEERF institutional funds. The detail report on student enrollment and outstanding balances was generated from Banner and downloaded into an excel file. WLU did not retain the detail Banner report or report parameters used to run the report, therefore, we could not support the completeness and accuracy of the report. In addition, in our allowability testing we noted 1 instance where the appropriate review and approval of the costs charged to the HEERF program was not noted. Cause: Management did not retain the supporting documentation for the detail Banner report on student enrollment or outstanding balances. For the 1 instance there was no documentation to support that the review of the expenditure for allowability was performed. Effect or Potential Effect: There is a risk that the report on student enrollment and outstanding balances generated from the Banner system is inaccurate or incomplete. This may further lead to improper amounts applied to the student’s accounts. In addition, lack of an appropriate review and approval of expenditures could potentially lead to unallowable costs charged to the program. Questioned Costs: None Context: Total HEERF expenditures for WLU was $3,298,313 for the year ended June 30, 2023. The total expenditures for the HEERF program for the year ended June 30, 2023 were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022–023 Recommendation: We recommend Management retain the supporting Banner reports and report parameters to support the accuracy and completeness of the data.
In addition, we recommend Management to document the review and approval of costs charged to the HEERF program. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–033 CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425E, F, J; Grant Award P425J200063, Grant Award P425E201113, Grant Award P425F201736, Grant Award P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” For CRRSAA, HEERF II and ARP HEERF III, the Certification and Agreements and/or Supplemental Agreements requires that Student Aid Portion (Assistance Listing 84.425E) should be disbursed within 15 calendar days of the drawdown from ED’s G5 grants system and Institutional Aid Portion, (a)(2), and (a)(3) funds (all other ALNs) should be disbursed within three calendar days of the drawdown from G5. For lost revenue, the “obligation” occurs on the date the institution completes its estimate of its amount of lost revenue after the estimation period. Condition: For three disbursement samples for Bluefield State College (BSC) we noted that the disbursements did not occur within 3 calendar days of the drawdown from ED’s G5 grants system. In addition, during our review of the schedule of expenditures of federal awards, we noted West Virginia State University (WVSU) had an ending cash balance of $397,412 at June 30, 2023. Cause: BSC incurred the expenses and performed the drawdown from the ED’s G5 grants system. Three of the expenses were paid by the State of West Virginia on behalf of Bluefield State College and these expenses were initially rejected by the State auditor and while subsequently resolved and paid, the timing caused the time lag between the drawdown date and the payment date to be outside of the allowed 3 calendar days. WVSU did not have adequate internal controls in place to ensure a thorough review of cash balance on hand was performed prior to performing drawdowns from the ED’s G5 grants system. Effect or Potential Effect: BSC was not incompliance with the requirement to disburse funds within 3 days of the drawdown from G5. WVSU has over drawn funds under the HEERF program resulting in an ending cash balance at June 30, 2023. Consequently, this resulted in a violation of the cash management rules. Questioned Costs: $397,412 (Grant Award No’s: P425E201113, P425F201736, P425J200056 Context: Total BSC expenditures for the HEERF were $5,959,981 and the total WVSU expenditures for the HEERF were $13,084,264 representing 1.8% and 4.0%, respectively of the total Education Stabilization Fund and HEERF (84.425) expenditures of $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–024 Recommendation: Management of BSC and WVSU should enhance its internal controls to ensure funds are disbursed within the stipulated time frame and/or drawdown funds after the expenditures have been disbursed. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–031 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425J, Grant Award –P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia State University (WVSU) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: In our testing of payroll expenditures charged to the HEERF, we noted 7 transactions for which the employee’s time sheets were not approved. Cause: WVSU does not have proper internal controls in place to ensure that timesheets are approved by the employee’s supervisor/manager. Effect or Potential Effect: Potentially incorrect or unallowable costs could be charged to the federal program. Questioned Costs: None Context: We tested a total of 40 payroll transactions (total costs of $91,515) for the WVSU and for 7 payroll transactions (totaling $19,645), timesheets were not approved by the employee’s supervisor or manager. Total payroll expenditures charged to HEERF in fiscal year 2023 was $8,706,376. The total expenditures for the HEERF program is $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: This finding is not a repeat finding from prior year. Recommendation: We recommend that WVSU strengthen its internal controls to ensure that all timesheets are approved to ensure allowable costs are charged under the federal program. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–033 CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 2 – Higher Education, (Higher Education Emergency Relief Fund (HEERF)) COVID-19 84.425E, F, J; Grant Award P425J200063, Grant Award P425E201113, Grant Award P425F201736, Grant Award P425J200056 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” For CRRSAA, HEERF II and ARP HEERF III, the Certification and Agreements and/or Supplemental Agreements requires that Student Aid Portion (Assistance Listing 84.425E) should be disbursed within 15 calendar days of the drawdown from ED’s G5 grants system and Institutional Aid Portion, (a)(2), and (a)(3) funds (all other ALNs) should be disbursed within three calendar days of the drawdown from G5. For lost revenue, the “obligation” occurs on the date the institution completes its estimate of its amount of lost revenue after the estimation period. Condition: For three disbursement samples for Bluefield State College (BSC) we noted that the disbursements did not occur within 3 calendar days of the drawdown from ED’s G5 grants system. In addition, during our review of the schedule of expenditures of federal awards, we noted West Virginia State University (WVSU) had an ending cash balance of $397,412 at June 30, 2023. Cause: BSC incurred the expenses and performed the drawdown from the ED’s G5 grants system. Three of the expenses were paid by the State of West Virginia on behalf of Bluefield State College and these expenses were initially rejected by the State auditor and while subsequently resolved and paid, the timing caused the time lag between the drawdown date and the payment date to be outside of the allowed 3 calendar days. WVSU did not have adequate internal controls in place to ensure a thorough review of cash balance on hand was performed prior to performing drawdowns from the ED’s G5 grants system. Effect or Potential Effect: BSC was not incompliance with the requirement to disburse funds within 3 days of the drawdown from G5. WVSU has over drawn funds under the HEERF program resulting in an ending cash balance at June 30, 2023. Consequently, this resulted in a violation of the cash management rules. Questioned Costs: $397,412 (Grant Award No’s: P425E201113, P425F201736, P425J200056 Context: Total BSC expenditures for the HEERF were $5,959,981 and the total WVSU expenditures for the HEERF were $13,084,264 representing 1.8% and 4.0%, respectively of the total Education Stabilization Fund and HEERF (84.425) expenditures of $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–024 Recommendation: Management of BSC and WVSU should enhance its internal controls to ensure funds are disbursed within the stipulated time frame and/or drawdown funds after the expenditures have been disbursed. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–027 MAINTENANCE OF EFFORT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF) COVID-19 84.425U, Grant Award S425D210036, Grant Award S425V210008, Grant Award S425U210036, Grant Award S425U210036 – 21A, Grant Award S425W210050 – 21A, Grant Award S425D200036 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under section 317 of the Coronavirus Response and Relief Supplemental Appropriation (CRRSA) Act, for fiscal year 2022, a state that receives Elementary and Secondary School Emergency Relief (ESSER) II, Governor’s Emergency Education Relief (GEER) II, or Emergency Assistance to Nonpublic Schools (EANS) funds under the CRRSA Act must: a) Maintain State support for elementary and secondary education in fiscal year 2022 at least at the proportional level of the state’s support for elementary and secondary education relative to the state’s overall spending, averaged over fiscal years 2017, 2018, and 2019; and b) Maintain state support for higher education in fiscal year 2022 at least at the proportional level of the state’s support for higher education relative to the state’s overall spending, averaged over fiscal years 2017, 2018, and 2019. Under section 2004(a) of the American Rescue Plan (ARP) Act, a state that receives ARP ESSER funds must meet the above Maintenance of Effort (MOE) requirement in each of fiscal years 2022 and 2023. Condition: The Department of Education did not provide the calculations to support meeting the maintenance of effort provisions for fiscal year 2023. Cause: The Department of Education did not provide the documentation and calculations supporting the maintenance of effort for fiscal year 2023. The calculations are performed by the State Budget Office and the calculations have not been prepared as of the date of the audit report. The Department of Education had previously requested a waiver from the provisions but did not receive approval specific to fiscal year 2023. Effect or Potential Effect: The ESF did not meet the maintenance of effort requirement. Questioned Costs: N/A Context: Total federal expenditures for the ESF program for the fiscal year ended June 30, 2023, were $323,733,675. Identification as a Repeat Finding: Prior Year Finding 2022-021 Recommendation: The West Virginia Department of Education management and the State Legislative officials need to implement procedures to ensure adequate appropriations are made to meet the maintenance of effort requirements. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–030 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425U; Grant Award – S425U210036, Grant Award – S425D210036, Grant Award – S425D200036 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Department of Education must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Education (WVDE) paid a Local Educational Agency invoice amounting to $566,340 for which the good or service was not received or was only partially received. Cause: WVDE paid invoices to a Local Educational Agency that has not followed the appropriate procurement procedures. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $566,340 Context: Total federal expenditures for the Education Stabilization Fund program were $323,733,675 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that WVDE strengthen its internal controls over subrecipient monitoring to ensure that all invoices are accurate and that costs are for appropriately procured and eligible good or service under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–029 REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Education, Education Stabilization Fund (ESF), ESF Section 1 – Elementary and Secondary Education COVID-19 84.425D/84.425R/84.425U/84.425V, Grant Award S425R210008, Grant Award S425D210036, Grant Award S425U210036, Grant Award S425V210008 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the American Rescue Plan (ARP) Act and 34 CFR Part 76, grantees that receive Elementary and Secondary School Emergency Relief (ESSER) Fund, Governor’s Emergency Education Relief (GEER) Fund and Emergency Assistance to Nonpublic Schools (EANS) Program must submit an annual performance report with data on expenditures, planned expenditures, subrecipients, and uses of funds, including for mandatory reservations. Condition: Management did not provide evidence of the review and approval of the annual ESSER and EANS report. In addition, for the annual EANS report, documentation supporting the amounts reported was not provided. Cause: The Department of Education did not have sufficient internal controls over the review and approval of the annual ESSER and EANS reports. In addition, sufficient internal controls are not in place to require the maintenance of supporting documentation. Effect or Potential Effect: ESSER and EANS reports submitted could have incorrect or inaccurate data/amounts. Questioned Costs: N/A Context: The ESSER and the EANS annual reports submitted relate to year ended June 30, 2022. The total expenditures for the ARP ESSER and ARP EANS programs in fiscal year 2022 were $163,642,108 and $2,989,943, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend WVDE enforces the existing policies and procedures and retain documentation over review and approval of reports prior to submission. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–034 SUBRECIPIENT CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.305(b)(1) requires that the non-federal entity must “monitor cash drawdowns by their subrecipients to ensure that the time elapsing between the transfer of federal funds to the subrecipient and their disbursement for program purposes is minimized as required by the applicable cash management requirements in the federal award to the recipient.” Per DHHR policy, the Spending Unit shall limit cash advances to a subrecipient to the minimum amounts needed and be timed in accordance with the actual, immediate cash requirements of the subrecipient for carrying out the purpose of the approved program or project. The timing and amount of cash advances shall be as close as is administratively feasible to the actual disbursements by the subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting why a subrecipient drawdown was approved for payment for 1 of the 36 drawdowns selected for testing. The supporting documentation for the draw down showed less expenses than the amount that had been drawn down to date on the grants and also showed the subrecipient appeared to have adequate cash balances on hand at the time of the request. Cause: Supporting documentation was not retained to demonstrate cash advances to the subrecipient represented the minimum amount needed for actual and immediate cash requirements of the subrecipient for carrying out the purpose of the program. Effect or Potential Effect: The cash remitted to the subrecipient may not be accurate and may be in excess of the subrecipients actual and immediate cash requirements for carrying out the purpose of the program. Questioned Costs: $77,063 Context: The total subrecipient drawdowns selected for testing was $1,879,150. The total amount of subrecipient drawdowns for the Epidemiology program during FY23 was $7,478,038. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR establish policies and procedures requiring documentation from subrecipients substantiating that the amount of a drawdown is appropriate based on the expenditures through the request date so that the reconciliation preformed for the related drawdown is sufficient to determine that the drawdown is appropriate and excess cash is not remitted to the subrecipient. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–058 EQUIPMENT AND REAL PROPERTY MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.313(b) requires a state use, manage and dispose of equipment acquired under a Federal award by the state in accordance with state laws and procedures. According to State Policy, “All agencies are required to take a physical inventory once every three years, and shall have completed such physical inventory by June 30th of the relevant year. The physical inventory shall include viewing of all Reportable Assets under the agency’s jurisdiction. The head of every spending unit of state government shall, on or before the fifteenth day of July of each year, file with the Purchasing Division director an inventory of all real and personal property, and of all equipment, supplies and commodities in its possession as of the close of the last fiscal year as stated in West Virginia Code §5A-3-35. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting the most recent physical inventory of fixed assets for the agency. Cause: Adequate documentation supporting compliance with the State’s policies regarding physical inventory was not provided. Effect or Potential Effect: The Epidemiology and Laboratory Capacity for Infectious Diseases Program may not be in compliance with the requirements of F. Equipment & Real Property Management. Questioned Costs: Unknown Context: The total expenditures for the year ended June 30, 2023 were $23,002,255. Total equipment purchases for FY 2023 were $2,533,124. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: We recommend that DHHR follow the State’s established policies and maintain documentation evidencing the internal control and oversight of fixed asset management. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–034 SUBRECIPIENT CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.305(b)(1) requires that the non-federal entity must “monitor cash drawdowns by their subrecipients to ensure that the time elapsing between the transfer of federal funds to the subrecipient and their disbursement for program purposes is minimized as required by the applicable cash management requirements in the federal award to the recipient.” Per DHHR policy, the Spending Unit shall limit cash advances to a subrecipient to the minimum amounts needed and be timed in accordance with the actual, immediate cash requirements of the subrecipient for carrying out the purpose of the approved program or project. The timing and amount of cash advances shall be as close as is administratively feasible to the actual disbursements by the subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting why a subrecipient drawdown was approved for payment for 1 of the 36 drawdowns selected for testing. The supporting documentation for the draw down showed less expenses than the amount that had been drawn down to date on the grants and also showed the subrecipient appeared to have adequate cash balances on hand at the time of the request. Cause: Supporting documentation was not retained to demonstrate cash advances to the subrecipient represented the minimum amount needed for actual and immediate cash requirements of the subrecipient for carrying out the purpose of the program. Effect or Potential Effect: The cash remitted to the subrecipient may not be accurate and may be in excess of the subrecipients actual and immediate cash requirements for carrying out the purpose of the program. Questioned Costs: $77,063 Context: The total subrecipient drawdowns selected for testing was $1,879,150. The total amount of subrecipient drawdowns for the Epidemiology program during FY23 was $7,478,038. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR establish policies and procedures requiring documentation from subrecipients substantiating that the amount of a drawdown is appropriate based on the expenditures through the request date so that the reconciliation preformed for the related drawdown is sufficient to determine that the drawdown is appropriate and excess cash is not remitted to the subrecipient. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–058 EQUIPMENT AND REAL PROPERTY MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.313(b) requires a state use, manage and dispose of equipment acquired under a Federal award by the state in accordance with state laws and procedures. According to State Policy, “All agencies are required to take a physical inventory once every three years, and shall have completed such physical inventory by June 30th of the relevant year. The physical inventory shall include viewing of all Reportable Assets under the agency’s jurisdiction. The head of every spending unit of state government shall, on or before the fifteenth day of July of each year, file with the Purchasing Division director an inventory of all real and personal property, and of all equipment, supplies and commodities in its possession as of the close of the last fiscal year as stated in West Virginia Code §5A-3-35. Condition: During our testing of Epidemiology and Laboratory Capacity for Infectious Diseases, the West Virginia Department of Health and Human Resources (DHHR) was unable to provide adequate documentation supporting the most recent physical inventory of fixed assets for the agency. Cause: Adequate documentation supporting compliance with the State’s policies regarding physical inventory was not provided. Effect or Potential Effect: The Epidemiology and Laboratory Capacity for Infectious Diseases Program may not be in compliance with the requirements of F. Equipment & Real Property Management. Questioned Costs: Unknown Context: The total expenditures for the year ended June 30, 2023 were $23,002,255. Total equipment purchases for FY 2023 were $2,533,124. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: We recommend that DHHR follow the State’s established policies and maintain documentation evidencing the internal control and oversight of fixed asset management. View of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–017 SPECIAL TESTS AND PROVISIONS – SATISFACTORY ACADEMIC PROGRESS (N9)
Federal Program Information: Federal Agency and Program Name Assistance Listing #
Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” 34 CFR 668.16(e) states: “For purposes of determining student eligibility for assistance under a title IV, HEA program, establishes, publishes, and applies reasonable standards for measuring whether an otherwise eligible student is maintaining satisfactory academic progress in his or her educational program. The Secretary considers an institution's standards to be reasonable if the standards are in accordance with the provisions specified in § 668.34.” 34 CFR 668.34 states: “An institution must establish a reasonable satisfactory academic progress policy for determining whether an otherwise eligible student is making satisfactory academic progress in his or her educational program and may receive assistance under the title IV, HEA programs. The Secretary considers the institution's policy to be reasonable if— (1) The policy is at least as strict as the policy the institution applies to a student who is not receiving assistance under the title IV, HEA programs; (2) The policy provides for consistent application of standards to all students within categories of students, e.g., full-time, part-time, undergraduate, and graduate students, and educational programs established by the institution; (3) The policy provides that a student's academic progress is evaluated— (i) At the end of each payment period if the educational program is either one academic year in length or shorter than an academic year; or (ii) For all other educational programs, at the end of each payment period or at least annually to correspond with the end of a payment period; (4) (i) The policy specifies the grade point average (GPA) that a student must achieve at each evaluation, or if a GPA is not an appropriate qualitative measure, a comparable assessment measured against a norm; and (ii) If a student is enrolled in an educational program of more than two academic years, the policy specifies that at the end of the second academic year, the student must have a GPA of at least a “C” or its equivalent, or have academic standing consistent with the institution's requirements for graduation; (5) The policy specifies— (i) For all programs, the maximum timeframe as defined in paragraph (b) of this section; and (ii) For a credit hour program using standard or nonstandard terms that is not a subscription-based program, the pace, measured at each evaluation, at which a student must progress through his or her educational program to ensure that the student will complete the program within the maximum timeframe, calculated by either dividing the cumulative number of hours the student has successfully completed by the cumulative number of hours the student has attempted or by determining the number of hours that the student should have completed by the evaluation point in order to complete the program within the maximum timeframe. In making this calculation, the institution is not required to include remedial courses; (6) The policy describes how a student's GPA and pace of completion are affected by course incompletes, withdrawals, or repetitions, or transfers of credit from other institutions. Credit hours from another institution that are accepted toward the student's educational program must count as both attempted and completed hours; (7) Except as provided in paragraphs (c) and (d) of this section, the policy provides that, at the time of each evaluation, a student who has not achieved the required GPA, or who is not successfully completing his or her educational program at the required pace, is no longer eligible to receive assistance under the title IV, HEA programs; (8) If the institution places students on financial aid warning, or on financial aid probation, as defined in paragraph (b) of this section, the policy describes these statuses and that— (i) A student on financial aid warning may continue to receive assistance under the title IV, HEA programs for one payment period despite a determination that the student is not making satisfactory academic progress. Financial aid warning status may be assigned without an appeal or other action by the student; and (ii) A student on financial aid probation may receive title IV, HEA program funds for one payment period. While a student is on financial aid probation, the institution may require the student to fulfill specific terms and conditions such as taking a reduced course load or enrolling in specific courses. At the end of one payment period on financial aid probation, the student must meet the institution's satisfactory academic progress standards or meet the requirements of the academic plan developed by the institution and the student to qualify for further title IV, HEA program funds; (9) If the institution permits a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy describes— (i) How the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; (ii) The basis on which a student may file an appeal: The death of a relative, an injury or illness of the student, or other special circumstances; and (iii) Information the student must submit regarding why the student failed to make satisfactory academic progress, and what has changed in the student's situation that will allow the student to demonstrate satisfactory academic progress at the next evaluation; (10) If the institution does not permit a student to appeal a determination by the institution that he or she is not making satisfactory academic progress, the policy must describe how the student may reestablish his or her eligibility to receive assistance under the title IV, HEA programs; and (11) The policy provides for notification to students of the results of an evaluation that impacts the student's eligibility for title IV, HEA program funds.” Condition: Bluefield State University (BSU), Fairmont State University (FSU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), West Virginia School of Osteopathic Medicine (WVSOM), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the satisfactory academic progress (SAP) policy. During our testing, we noted there was no documentation retained to evidence that a review of the SAP policy was performed to ensure compliance with federal regulations. Additionally, Blue Ridge Community College (BRCTC) and WVUP did not publish the most recent version of the SAP policy on their websites. Furthermore, WVSOM did not include reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policy as the related SAP polices excluded the required element #11 above. BRCTC had an appropriate policy, but they did not publish the most recent version of the policy on their website. The older version of the SAP policy that was published on their website did not include the required element #11 above. Cause: Management of BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP did not retain sufficient documentation for their review procedures over the SAP policy. Management of BRCTC and WVSOM did not include all reasonable standards for measuring whether eligible students are maintaining SAP in their educational program in their published SAP policies. Effect or Potential Effect: The published SAP policy may be deemed insufficient for the compliance requirements. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, FSU, MU, NRCTC, WLU, WVNCC, WVSOM, and WVUP were $5,084,582, $7,651,688, $17,584,932, $93,991,163, $3,672,778, $16,726,007, $3,090,314, $44,681,370, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should ensure the SAP is reviewed and approved on an annual basis and supporting documentation of the review retained. Management should design and implement internal controls over the SAP policy to ensure all requirements are included in the policy appropriately and published on the institution’s website timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–019 SPECIAL TESTS AND PROVISIONS – GRAMM-LEACH-BLILEY ACT-STUDENT INFORMATION SECURITY (N12)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The Gramm-Leach-Bliley Act (Pub. L. No. 106-102) (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. At a minimum, an institution’s written information security program — (1) Designates a qualified individual responsible for overseeing and implementing the institution’s information security program and enforcing the information security program in compliance (16 CFR 314.4(a)). (2) Provides for the information security program to be based on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information (as the term customer information applies to the institution) that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks (16 CFR 3 14.4(b)). (3) Provides for the design and implementation of safeguards to control the risks the institution identifies through its risk assessment (16 CFR 3 14.4(c)). At a minimum, the institution’s written information security program must address the implementation of the minimum safeguards identified in 16 CFR 314.4(c)(1) through (8). The eight minimum safeguards that the written information security program must address are summarized as follows: (i) Implement and periodically review access controls. (ii) Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. (iii) Encrypt customer information on the institution’s system and when it’s in transit. (iv) Assess apps developed by the institution (v) Implement multi-factor authentication for anyone accessing customer information on the institution’s system (vi) Dispose of customer information securely (vii) Anticipate and evaluate changes to the information system or network. (viii) Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. (4) Provides for the institution to regularly test or otherwise monitor the effectiveness of the safeguards it has implemented (16 CFR 314.4(d)). (5) Provides for the implementation of policies and procedures to ensure that personnel are able to enact the information security program (16 CFR 314.4(e)(1)). (6) Addresses how the institution will oversee its information system service providers (16 CFR 314.4(f)). (7) Provides for the evaluation and adjustment of its information security program in light of the results of the required testing and monitoring; any material changes to its operations or business arrangements; the results of the required risk assessments; or any other circumstances that it knows or has reason to know may have a material impact the institution’s information security program (16 CFR 314.4(g)). Condition: Blue Ridge Community and Technical College (BRCTC), Concord University (CU), Marshall University (MU), New River Community and Technical College (NRCTC), West Liberty University (WLU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) did not have adequate internal controls in place surrounding the Information Security Program. During our testing, we noted there was no documentation retained to evidence that a review of the Information Security Program was performed to ensure compliance with federal regulations. Additionally, the written Information Security Program for Bluefield University (BSU), CU, MU, NRCTC, Shepherd University (SU), WLU, WVNCC, West Virginia State University (WVSU) and WVUP did not address all required elements per 16 CFR 314.4 outlined above. Furthermore, Fairmont State University (FSU) and Pierpont Community and Technical College (PCTC) did not have a written Information Security Program. For FSU, the written Information Security Program was not in place until May 2023. Cause: Management of BRCTC, CU, MU, NRCTC, WLU, WVNCC, and WVUP did not retain sufficient documentation for their review procedures over the Information Security Program. Management of BSU, CU, MU, NRCTC, SU, WVNCC, and WVSU did not include all reasonable standards required for the Information Security Program. Management of FSU and PCTC did not have a written Information Security Program. Effect or Potential Effect: The written Information Security Program may not be compliant with federal regulations. Questioned Costs: None Context: Total Student Financial Assistance Cluster expenditures for BRCTC, BSU, CU, FSU, MU, NRCTC, PCTC, SU, WLU, WVNCC, WVSU, and WVUP were $5,084,582, $7,651,688, $13,833,684, $17,584,932, $93,991,163, $3,672,778, $4,388,461, $15,171,851, $16,726,007, $3,090,314, $9,313,808, $6,847,451, respectively, for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Management should design and implement internal controls over the Information Security Program to ensure all requirements of the GLBA are included in the written Information Security Program appropriately. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–020 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – VERIFICATION (N1)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: Fairmont State University (FSU) did not have adequate internal controls in place surrounding the verification compliance requirement. During our testing, we noted for the samples selected that there were multiple selections showing a lack of proper review in the verification process. Cause: FSU did not have adequate internal controls in place to ensure that verification changes identified were processed and submitted to the U.S. Department of Education. Effect or Potential Effect: Students receiving federal aid could receive the incorrect amount of federal student financial assistance. Questioned Costs: N/A Context: We selected a sample of 23 students for FSU and identified 8 instances where the verification forms were not reviewed and approved. Total Student Financial Assistance Cluster expenditures for FSU were $17,584,932 for the year ended June 30, 2023. The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: Prior Year Findings 2022–015 and 2021–014 Recommendation: Management should develop and update internal controls to ensure that controls related to the verification process are implemented. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–021 BANNER INFORMATION TECHNOLOGY GENERAL CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the Banner application instances at 12 of 15 universities / colleges. As a result, Banner ITGCs, and therefore, Banner application controls, cannot be relied upon in the period of audit. Cause: Across the 11 universities/colleges (Blue Ridge Community and Technical College, Bluefield State University, Mountwest Community and Technical College, New River Community and Technical College, Pierpont Community and Technical College, Shepherd University, West Liberty University, West Virginia Northern Community College, West Virginia University, West Virginia University at Parkersburg, and West Virginia State University), management did not have a formalized process to support access provisioning events were authorized, approved and documented. Additionally, documentation did not exist to support the timely revocation of access upon a user leaving the university / college. Further, a user access review for Banner was not performed to ensure access remains appropriate based on users’ job responsibilities. We also identified instances where privileged accounts to Banner were shared amongst users and password settings were not configured with leading industry standards. Specific to the change management process, a formalized and documented process was not consistently followed to support that Banner application and supporting infrastructure patches and releases were authorized, tested, and approved prior to being implemented to production. Effect or Potential Effect: There is a risk the data relevant to the Student Financial Assistance Cluster program stored within the student financial aid system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the Banner application. As a result, the Banner application cannot be relied on for the audit period. Questioned Costs: None Context: The total expenditures for the Student Financial Assistance Cluster for the year ended June 30, 2023, were $470,995,643. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified Banner access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the Banner application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the Banner application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access to the Banner application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. Management should configure Banner password settings related to minimum length, complexity, expiration, history, and account lockout to enhance overall security. Further, privileged access to the Banner application should be granted to administrators via unique IDs to provide accountability and avoid the sharing of default privileged accounts. A formal, documented change process needs implemented to capture authorization, testing and production migration approvals for patches and releases to the Banner application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–024 SPECIAL TESTS AND PROVISIONS – USING A SERVICER TO DELIVER TITLE IV CREDIT BALANCES TO A CARD OR OTHER ACCESS DEVICE (N3)
Federal Program Information: Federal Agency and Program Name Assistance Listing # Student Financial Assistance (SFA) Cluster U.S. Department of Education 84.007/84.033/84.038/84.063/84.268/84.379; U.S. Department of Health and Human Services 93.264/93.342/93.364
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” An institution may enter into an arrangement with a servicer or a financial institution to make a direct payment of federal student aid credit balances to students through electronic funds transfer to a bank account designated by a student or parent, to issue a check payment to the student or to use an access device such as a debit, demand, or smart card provided by the servicer or its financial partner. Regulations at 34 CFR 668.164(e) and (f) establish two different types of arrangements between schools and financial account providers: Tier One arrangements and Tier Two arrangements. The type of arrangement determines the provisions that are applicable to the school. 34 CFR 668.164(e)(2)(viii) states under a T1 arrangement, the institution must “provide to the Secretary an up-to-date URL for the contract and contract data as described in paragraph (e)(2)(vii) of this section for publication in a centralized database accessible to the public.” 34 CFR 668.164(e)(2)(ix) states under a T1 arrangement, the institution must “ensure that the terms of the accounts offered pursuant to a T1 arrangement are not inconsistent with the best financial interests of the students opening them. The Secretary considers this requirement to be met if (A) The institution documents that it conducts reasonable due diligence reviews at least every two years to ascertain whether the fees imposed under the T1 arrangement are, considered as a whole, consistent with or below prevailing market rates; and (B) All contracts for the marketing or offering of accounts pursuant to T1 arrangements to the institution's students make provision for termination of the arrangement by the institution based on complaints received from students or a determination by the institution under paragraph (e)(2)(ix)(A) of this section that the fees assessed under the T1 arrangement are not consistent with or are higher than prevailing market rates.” 34 CFR 668.164(e)(2)(x) states under a T1 arrangement, the institution must “take affirmative steps, by way of contractual arrangements with the third-party servicer as necessary, to ensure that requirements of this section are met with respect to all accounts offered pursuant to T1 arrangements.” Condition: Bluefield State University (BSU), Blueridge Community & Technical College (BRCTC), Concord University (CU), Mountwest Community & Technical College (MCTC), Shepherd University (SU), West Virginia Northern Community College (WVNCC), and West Virginia University at Parkersburg (WVUP) have a T1 arrangement with a third-party servicer. BSU, CU, SU, WVNCC, and WVUP were unable to provide documentation showing that their institutions had submitted a URL to their contract with their third-party servicer and cost information related to their third-party servicer to the U.S. Department of Education for publication in the Cash Management Contracts Database. BSU, BRCTC, CU, MCTC, SU and WVNCC were unable to provide evidence showing that their institutions documented a due diligence review over the fees assessed by their third-party servicer of Title IV credit balances. Cause: BSU, BRCTC, CU, MCTC, SU, WVUP, and WVNCC did not have an internal control in place to review the contract with their third-party servicer of Title IV credit balances or obtain and review the third-party servicer’s Title IV compliance audit to ensure compliance with federal regulations. As such, instances of noncompliance were noted above. Effect or Potential Effect: The schools are not in compliance with certain federal regulations over T1 arrangements contained in 34 CFR 668.164(e). Questioned Costs: None Context: BSU, BRCTC, CU, MCTC, SU, WVNCC, and WVUP had total expenditures of $7,651,688, $5,084,582, $13,833,684, $4,467,631, $15,171,851, $3,090,314, and $6,847,451 respectively. Total expenditures for the SFA Cluster were $470,995,643 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: The schools should implement internal controls over the review of the contract with their third-party servicer of Title IV credit balances and their Title IV compliance audit, Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SOC 1) and Report on Controls Relevant to Security (SOC 2) to ensure compliance with the federal regulations over T1 arrangements. Documentation over the specific items reviewed and conclusions reached should be retained to support the operating effectiveness of internal controls. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–035 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – CHILD SUPPORT NON-COOPERATION, PENALTY FOR REFUSAL TO WORK, AND ADULT CUSTODIAL PARENT OF CHILD UNDER SIX WHEN CHILD CARE NOT AVAILABLE
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the issuance and removal of sanctions; however, adequate documentation to determine that the controls were operating effectively was not consistently maintained or available. Cause: Internal controls over the documentation of the review and approval of the issuance or removal of sanctions against TANF recipients are not operating effectively. Effect or Potential Effect: Recipient benefits may potentially be reduced or increased in error or without appropriate cause. Questioned Costs: N/A Context: Total federal expenditures for Temporary Assistance for Needy Families (TANF) for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Findings 2022–027 and 2021–028 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review prior to the issuance or removal of sanctions. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–036 SPECIAL TESTS AND PROVISIONS – PENALTY FOR REFUSAL TO WORK
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The State agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each State agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the State by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). If an individual in a family receiving assistance refuses to engage in required work, a State must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual so refuses or may terminate assistance. Any reduction or termination is subject to good cause or other exceptions as the State may establish (42 USC 607(e)(1); 45 CFR sections 261.13 and 261.14(a) and (b)). However, a State may not reduce or terminate assistance based on a refusal to work if the individual is a single custodial parent caring for a child who is less than 6 years of age if the individual can demonstrate the inability (as determined by the State) to obtain child care for one or more of the following reasons: (a) the unavailability of appropriate care within a reasonable distance of the individual’s work or home; (b) unavailability or unsuitability of informal child care; or (c) unavailability of appropriate and affordable formal child care (42 USC 607(e)(2); 45 CFR sections 261.15(a), 261.56, and 261.57). Condition: For one of the 40 cases selected for testing, the individual should not have been included in the overall population of individuals not participating in their assigned activity. The State has supporting documentation that the client had been participating in their assigned activity. We determined that the cause was from the individual being incorrectly included in the population provided by the state. Cause: There are insufficient internal controls in place surrounding the generation and review of the population of individuals not participating in an assigned activity provided to the auditor, and caseworker data entry into the Recipient Automated Payment Information Data System (RAPIDS). Effect or Potential Effect: The State may inappropriately reduce or terminate the assistance grant of an individual who refuses to engage in work but are subject to good cause or other exceptions established by the State. Further the State may not be able to effectively identify individuals that should or should not be subject to reductions or terminations in benefits. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–037 SPECIAL TESTS AND PROVISIONS – INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45CFR section 205.55). (a) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d) Information from the U.S. Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e) Unearned income from the Internal Revenue Service (IRS). Condition: During testing of 40 TANF cases subject to IEVS, we noted the following: Control - For 40 of the 40 cases selected for control testing, adequate documentation of review of the data exchanges, and system matches, and review of actions taken by the caseworker when required was not provided. Compliance- For 3 of the 40 cases selected for testing, the recipient did not appear to be receiving WVWorks benefits. The auditor was unable to determine if these cases should have been subject to a data match under TANF. For 12 of the 40 cases selected for testing, the recipient appeared to be receiving WVWorks benefits, and a data match indicating caseworker action required was noted, but no action was completed. Additionally, additional documentation supporting no action required for the match was not available. For the remaining 25 of the 40 cases, the recipient appeared to be receiving WVWorks, a data match occurred, and related worker action was taken, but documentation supporting the action was not available. In addition, the auditor could not determine if specific action items were completed relating to individual exchange types. Cause: There are insufficient internal controls in place surrounding the generation and review of populations provided to the auditor, the Income Eligibility and Verification System matches, and the caseworker actions required within the Recipient Automated Payment Information Data System (RAPIDS). Also, insufficient documentation surrounding matches made between the information systems and actions taken after a match is made. Effect or Potential Effect: The State of WV may not be coordinating data exchanges with other federally assisted benefit programs as required by the state plan. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Finding 2022–028 and 2021–029 Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. In addition, we also recommend DHHR evaluate their control over the caseworker action requirement within RAPIDS on matches related to the IEVS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–038 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(a) requires that a pass-through entity “Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes the Federal Award Identification Number (FAIN). Condition: For four of four subawards selected for testing for subrecipient monitoring, the West Virginia Department of Education (DOE) did not communicate the FAIN to the subrecipient in the subaward. Cause: There are insufficient internal controls in place surrounding what information is included in the subaward. Effect or Potential Effect: The DOE is not providing required information to their subrecipients and therefore, not complying with federal regulations. Questioned Costs: Unknown Context: The federal expenditures and subrecipient expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DOE implement policies and procedures to ensure that the subawards include all requirements information to be communication to subrecipients in line with federal regulations. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–039 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): Any family that includes an adult or minor child head of household or a spouse of the head of household who has received assistance under any State program funded by federal Temporary Assistance for Needy Families (TANF) funds for 60 months (whether or not consecutive) is ineligible for additional federally funded TANF assistance. However, the State may extend assistance to a family on the basis of hardship, as defined by the State, or if a family member has been battered or subjected to extreme cruelty. In determining the number of months for which the head of household or the spouse of the head of household has received assistance, the State must not count any month during which the adult received the assistance while living in ©ndian country or in an Alaskan Native Village and the most reliable data available with respect to that month (or a period including that month) indicate at least 50% of the adults living in Indian country or in the village were not employed (42 USC 608(a)(7); 45 CFR sections 264.1(a), (b), and (c)). Further, the average monthly number of families that include an adult or minor child head of household, or the spouse of the head of household, who has received assistance under any State program funded by federal TANF funds for more than 60 countable months (whether or not consecutive) may not exceed 20 percent of the average monthly number of all families to which the State provided assistance during the fiscal year or the immediately preceding fiscal year (but not both), as the State may elect (42 USC 608(a)(7)(C)(ii); 45 CFR sections 264.1(c) and©)). Condition: During analysis of the TANF Data Report, ACF 199, two individuals were noted to have received TANF benefits for 61 months and one individual received benefits for 86 months. Cause: Management indicated the finding was caused by worker errors and insufficient verification of case information. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: Ineligible claims may have been reimbursed using federal funds. Questioned Costs: $1,754 Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate to ensure compliance with eligibility requirements. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–040 SPECIAL TESTS AND PROVISIONS – PENALTY FOR FAILURE TO COMPLY WITH WORK VERFICATION PLAN
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WV TANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The state agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each state agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the state by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). Condition: For one of the 40 cases selected for testing, the individual’s work eligibility and participation status documented in the case file and RAPIDS were not consistent with the data elements reported. For one of the 40 cases selected for testing, there was conflicting information for the participation hours for the individual/month selected. The incorrect information was included in the data elements reported. Cause: The discrepancies between data elements reported and supported were due to caseworker errors. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: The auditor was unable to determine if the auditee was in compliance with the specified compliance requirement. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023 were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–035 INTERNAL CONTROLS OVER SPECIAL TESTS AND PROVISIONS – CHILD SUPPORT NON-COOPERATION, PENALTY FOR REFUSAL TO WORK, AND ADULT CUSTODIAL PARENT OF CHILD UNDER SIX WHEN CHILD CARE NOT AVAILABLE
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the issuance and removal of sanctions; however, adequate documentation to determine that the controls were operating effectively was not consistently maintained or available. Cause: Internal controls over the documentation of the review and approval of the issuance or removal of sanctions against TANF recipients are not operating effectively. Effect or Potential Effect: Recipient benefits may potentially be reduced or increased in error or without appropriate cause. Questioned Costs: N/A Context: Total federal expenditures for Temporary Assistance for Needy Families (TANF) for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Findings 2022–027 and 2021–028 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review prior to the issuance or removal of sanctions. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–036 SPECIAL TESTS AND PROVISIONS – PENALTY FOR REFUSAL TO WORK
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The State agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each State agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the State by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). If an individual in a family receiving assistance refuses to engage in required work, a State must reduce assistance to the family, at least pro rata, with respect to any period during the month in which the individual so refuses or may terminate assistance. Any reduction or termination is subject to good cause or other exceptions as the State may establish (42 USC 607(e)(1); 45 CFR sections 261.13 and 261.14(a) and (b)). However, a State may not reduce or terminate assistance based on a refusal to work if the individual is a single custodial parent caring for a child who is less than 6 years of age if the individual can demonstrate the inability (as determined by the State) to obtain child care for one or more of the following reasons: (a) the unavailability of appropriate care within a reasonable distance of the individual’s work or home; (b) unavailability or unsuitability of informal child care; or (c) unavailability of appropriate and affordable formal child care (42 USC 607(e)(2); 45 CFR sections 261.15(a), 261.56, and 261.57). Condition: For one of the 40 cases selected for testing, the individual should not have been included in the overall population of individuals not participating in their assigned activity. The State has supporting documentation that the client had been participating in their assigned activity. We determined that the cause was from the individual being incorrectly included in the population provided by the state. Cause: There are insufficient internal controls in place surrounding the generation and review of the population of individuals not participating in an assigned activity provided to the auditor, and caseworker data entry into the Recipient Automated Payment Information Data System (RAPIDS). Effect or Potential Effect: The State may inappropriately reduce or terminate the assistance grant of an individual who refuses to engage in work but are subject to good cause or other exceptions established by the State. Further the State may not be able to effectively identify individuals that should or should not be subject to reductions or terminations in benefits. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–037 SPECIAL TESTS AND PROVISIONS – INCOME ELIGIBILITY AND VERIFICATION SYSTEM
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF,
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Each state shall participate in the Income Eligibility and Verification System (IEVS) required by Section 1137 of the Social Security Act as amended. Under the state plan the state is required to coordinate data exchanges with other federally assisted benefit programs, request and use income and benefit information when making eligibility determinations and adhere to standardized formats and procedures in exchanging information with other programs and agencies. Specifically, the state is required to request and obtain information as follows (42 USC 1320b-7; 45CFR section 205.55). (a) Wage information from the state Wage Information Collection Agency (SWICA) should be obtained for all applicants at the first opportunity following receipt of the application, and for all recipients on a quarterly basis. (b) Unemployment Compensation (UC) information should be obtained for all applicants at the first opportunity, and in each of the first three months in which the individual is receiving aid. This information should also be obtained in each of the first three months following any recipient-reported loss of employment. If an individual is found to be receiving UC, the information should be requested until benefits are exhausted. (c) All available information from the Social Security Administration (SSA) for all applicants at the first opportunity. (d) Information from the U.S. Citizenship and Immigration Services and any other information from other agencies in the state or in other states that might provide income or other useful information. (e) Unearned income from the Internal Revenue Service (IRS). Condition: During testing of 40 TANF cases subject to IEVS, we noted the following: Control - For 40 of the 40 cases selected for control testing, adequate documentation of review of the data exchanges, and system matches, and review of actions taken by the caseworker when required was not provided. Compliance- For 3 of the 40 cases selected for testing, the recipient did not appear to be receiving WVWorks benefits. The auditor was unable to determine if these cases should have been subject to a data match under TANF. For 12 of the 40 cases selected for testing, the recipient appeared to be receiving WVWorks benefits, and a data match indicating caseworker action required was noted, but no action was completed. Additionally, additional documentation supporting no action required for the match was not available. For the remaining 25 of the 40 cases, the recipient appeared to be receiving WVWorks, a data match occurred, and related worker action was taken, but documentation supporting the action was not available. In addition, the auditor could not determine if specific action items were completed relating to individual exchange types. Cause: There are insufficient internal controls in place surrounding the generation and review of populations provided to the auditor, the Income Eligibility and Verification System matches, and the caseworker actions required within the Recipient Automated Payment Information Data System (RAPIDS). Also, insufficient documentation surrounding matches made between the information systems and actions taken after a match is made. Effect or Potential Effect: The State of WV may not be coordinating data exchanges with other federally assisted benefit programs as required by the state plan. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: Prior Year Finding 2022–028 and 2021–029 Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS and populations are complete and accurate. In addition, we also recommend DHHR evaluate their control over the caseworker action requirement within RAPIDS on matches related to the IEVS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–038 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(a) requires that a pass-through entity “Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward.” Required information includes the Federal Award Identification Number (FAIN). Condition: For four of four subawards selected for testing for subrecipient monitoring, the West Virginia Department of Education (DOE) did not communicate the FAIN to the subrecipient in the subaward. Cause: There are insufficient internal controls in place surrounding what information is included in the subaward. Effect or Potential Effect: The DOE is not providing required information to their subrecipients and therefore, not complying with federal regulations. Questioned Costs: Unknown Context: The federal expenditures and subrecipient expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DOE implement policies and procedures to ensure that the subawards include all requirements information to be communication to subrecipients in line with federal regulations. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–039 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): Any family that includes an adult or minor child head of household or a spouse of the head of household who has received assistance under any State program funded by federal Temporary Assistance for Needy Families (TANF) funds for 60 months (whether or not consecutive) is ineligible for additional federally funded TANF assistance. However, the State may extend assistance to a family on the basis of hardship, as defined by the State, or if a family member has been battered or subjected to extreme cruelty. In determining the number of months for which the head of household or the spouse of the head of household has received assistance, the State must not count any month during which the adult received the assistance while living in ©ndian country or in an Alaskan Native Village and the most reliable data available with respect to that month (or a period including that month) indicate at least 50% of the adults living in Indian country or in the village were not employed (42 USC 608(a)(7); 45 CFR sections 264.1(a), (b), and (c)). Further, the average monthly number of families that include an adult or minor child head of household, or the spouse of the head of household, who has received assistance under any State program funded by federal TANF funds for more than 60 countable months (whether or not consecutive) may not exceed 20 percent of the average monthly number of all families to which the State provided assistance during the fiscal year or the immediately preceding fiscal year (but not both), as the State may elect (42 USC 608(a)(7)(C)(ii); 45 CFR sections 264.1(c) and©)). Condition: During analysis of the TANF Data Report, ACF 199, two individuals were noted to have received TANF benefits for 61 months and one individual received benefits for 86 months. Cause: Management indicated the finding was caused by worker errors and insufficient verification of case information. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: Ineligible claims may have been reimbursed using federal funds. Questioned Costs: $1,754 Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate to ensure compliance with eligibility requirements. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–040 SPECIAL TESTS AND PROVISIONS – PENALTY FOR FAILURE TO COMPLY WITH WORK VERFICATION PLAN
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WV TANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The state agency must maintain adequate documentation, verification, and internal control procedures to ensure the accuracy of the data used in calculating work participation rates. In so doing, it must have in place procedures to (a) determine whether its work activities may count for participation rate purposes; (b) determine how to count and verify reported hours of work; (c) identify who is a work-eligible individual; and (d) control internal data transmission and accuracy. Each state agency must comply with its HHS-approved Work Verification Plan in effect for the period that is audited. HHS may penalize the state by an amount not less than one percent and not more than five percent of the SFAG for violation of this provision (42 USC 601, 602, 607, and 609); 45 CFR sections 261.60, 261.61, 261.62, 261.63, 261.64, and 261.65). Condition: For one of the 40 cases selected for testing, the individual’s work eligibility and participation status documented in the case file and RAPIDS were not consistent with the data elements reported. For one of the 40 cases selected for testing, there was conflicting information for the participation hours for the individual/month selected. The incorrect information was included in the data elements reported. Cause: The discrepancies between data elements reported and supported were due to caseworker errors. Internal controls are not suitably designed to review and approve participant eligibility applications. Effect or Potential Effect: The auditor was unable to determine if the auditee was in compliance with the specified compliance requirement. Questioned Costs: Unknown Context: Total federal expenditures for TANF for the fiscal year ended June 30, 2023 were $85,510,454. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that management implement policies and procedures to ensure that information in RAPIDS is complete and accurate. In addition, we also recommend DHHR evaluate the effectiveness of the current training programs for the TANF program to ensure adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–046 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” LIHEAP requires the West Virginia Department of Health and Human Resources (DHHR) to determine whether federal monies are spent in accordance with the eligibility guidelines promulgated by 42 USC 8624(b)(2). Condition: During our testing of 40 LIHEAP benefit payments for eligibility, we noted that three of the six sampled cases from May and June 2023 were paid using the incorrect benefit amount. Cause: Management indicated that the errors were due to the benefit tables not being properly updated within the RAPIDS system to properly calculate the recipients’ benefits during the months of May and June 2023. This was due to insufficient oversight to ensure the table amounts were correct and the benefits were calculating properly. Effect or Potential Effect: Benefit payments were made at the incorrect amount based on the eligible recipients household size, income, and source of energy. Questioned Costs: $1,637 LIHEAP #93.568, Grant # G-2301WVLIEE Context: The three instances noted (three out of six case files tested for May and June, 2023) represent $1,637 of benefit payments out of $3,471 tested from those months. Total payments for benefit assistance for the LIHEAP program were $2,659,674 for the months of May and June 2023 and were $58,226,354 for the year ended June 30, 2023. The federal expenditures for the LIHEAP program for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate its policies and procedures to ensure that the benefit tables within the RAPIDS system are properly updated and reviewed to ensure that all recipients benefits are properly calculated. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–047 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Per 2 CFR 200.332(f), “All pass-through entities must: Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in § 200.501.” Condition: During our testing of subrecipient monitoring for subrecipients subject to Uniform Guidance Audit Requirements, it was noted that for the five subrecipients selected that were subject to audit requirements, the management of the West Virginia Community Advancement and Development (WV CAD) was unable to provide supporting documentation that verified the agency performed due diligence to ensure that the subrecipients were properly audited in accordance with the provisions of 2 CFR 200.332(f). Cause: There was lack of supporting documentation provided to properly determine whether the WV CAD management properly verified whether all subrecipients had been audited that were required to be under the requirements of 2 CFR 200.332(f). Effect or Potential Effect: The WV CAD does not have proper internal controls in place to ensure policies and procedures surrounding subrecipient monitoring compliance requirements are in effect. The WV CAD does not have evidence to support that all subrecipients that were required to be audited were done so properly; therefore, this could result in subrecipients required to be audited not having an audit completed. Questioned Costs: N/A Context: Total expenditures and total subrecipient expenditures for the Low-Income Home Energy Assistance program for the year ended June 30, 2023, were $78,229,389 and $17,209,504, respectively. There were 16 total subrecipients and all 5 selected for testing were unable to provide information to support due diligence procedures over subrecipients. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the WV CAD management review policies and procedures for sufficiency and commit appropriate personnel to subrecipient monitoring to ensure they are in compliance with all federal requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–041 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2022 – 2201WVTANF, Grant Award 2023 – 2301WVTANF, Low-Income Home Energy Assistance, 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Temporary Assistance for Needy Families (TANF) program, the subawards were not reported timely and support could not be provided for certain required data elements. Therefore, the TANF program was not in compliance with the provisions of 2 CFR 170 Appendix A. During our testing of Federal Funding Accountability and Transparency Act (FFATA) reports for the Low-Income Home Energy Assistance (LIHEAP) program, it was noted that the reports were not submitted by the Department of Health and Human Resources (DHHR) within the timeframe designated in 2 CFR 170 Appendix A, as well as did not contain accurate subaward grant numbers.
Cause: The West Virginia Department of Health and Human Resources (DHHR) received awards directly from the federal awarding agency. DHHR passed through a portion of the awards to other non-federal entities that were also agencies of the State. Those other agencies of the State subsequently passed through a portion of their awards to other non-federal entities that are not agencies of the State. When DHHR passed through the awards to other agencies of the State, DHHR used their standard grant agreement template since those agencies were external to DHHR. When completing the FFATA reports, the DHHR inappropriately entered the other State agencies as the subrecipient/subawardee and did not report the first-tier subrecipients of DOE timely. DHHR was also not able to provide supporting documentation for the subrecipients unique entity identification (UEI) number. Effect or Potential Effect: The FFATA reports were not submitted timely, and documentation could not be provided to ensure all required data elements were accurate. Questioned Costs: N/A Context: Subawards for the TANF program awarded by the West Virginia Department of Education (DOE) included 11 subawards that totaled $5,653,405 for the year ended June 30, 2023. The 5 subawards that were reported to the FFATA Subaward Reporting System incorrectly and/or late represent the entirety of the $2,851,508 selected for testing. Total federal expenditures for TANF for the fiscal year ended June 30, 2023, were $85,510,454. Subawards for the LIHEAP program included 28 subawards that totaled $17,348,041 for the year ended June 30, 2023. The 5 subawards that were incorrectly reported to the FFATA Subaward Reporting System represent the entirety of the $3,775,558 selected for testing. Total federal expenditures for LIHEAP for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: Prior Year Finding 2022-029 Recommendation: DHHR should consider the State of West Virginia to be the prime recipient. Even if the DHHR passes through a portion of a federal award to other non-federal entities that are agencies of the State, the DHHR should consider those agencies to be part of the prime recipient tier instead of subrecipients. Regardless of the State agency that receives the award directly from the federal awarding agency, the only time a subrecipient relationship exists for the State is when a portion of the award is passed through to a non-federal entity that is not an agency of the State. Accordingly, when DHHR receives and passes through a portion of a federal award to another agency of the State, DHHR should work with the other agency when completing the FFATA reports in an effort to ensure that all subawardee information is complete and accurate. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–046 ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” LIHEAP requires the West Virginia Department of Health and Human Resources (DHHR) to determine whether federal monies are spent in accordance with the eligibility guidelines promulgated by 42 USC 8624(b)(2). Condition: During our testing of 40 LIHEAP benefit payments for eligibility, we noted that three of the six sampled cases from May and June 2023 were paid using the incorrect benefit amount. Cause: Management indicated that the errors were due to the benefit tables not being properly updated within the RAPIDS system to properly calculate the recipients’ benefits during the months of May and June 2023. This was due to insufficient oversight to ensure the table amounts were correct and the benefits were calculating properly. Effect or Potential Effect: Benefit payments were made at the incorrect amount based on the eligible recipients household size, income, and source of energy. Questioned Costs: $1,637 LIHEAP #93.568, Grant # G-2301WVLIEE Context: The three instances noted (three out of six case files tested for May and June, 2023) represent $1,637 of benefit payments out of $3,471 tested from those months. Total payments for benefit assistance for the LIHEAP program were $2,659,674 for the months of May and June 2023 and were $58,226,354 for the year ended June 30, 2023. The federal expenditures for the LIHEAP program for the fiscal year ended June 30, 2023, were $78,229,389. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate its policies and procedures to ensure that the benefit tables within the RAPIDS system are properly updated and reviewed to ensure that all recipients benefits are properly calculated. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–047 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Low-Income Home Energy Assistance 93.568/COVID-19 93.568, Grant Award G-2101WVE5C6, Grant Award G-2201WVLIEA, Grant Award G-2201WVLIEI, Grant Award G-2301WVLIEE, Grant Award G-2301WVLIEA, Grant Award G-2301WVLIEI Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Per 2 CFR 200.332(f), “All pass-through entities must: Verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient's Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in § 200.501.” Condition: During our testing of subrecipient monitoring for subrecipients subject to Uniform Guidance Audit Requirements, it was noted that for the five subrecipients selected that were subject to audit requirements, the management of the West Virginia Community Advancement and Development (WV CAD) was unable to provide supporting documentation that verified the agency performed due diligence to ensure that the subrecipients were properly audited in accordance with the provisions of 2 CFR 200.332(f). Cause: There was lack of supporting documentation provided to properly determine whether the WV CAD management properly verified whether all subrecipients had been audited that were required to be under the requirements of 2 CFR 200.332(f). Effect or Potential Effect: The WV CAD does not have proper internal controls in place to ensure policies and procedures surrounding subrecipient monitoring compliance requirements are in effect. The WV CAD does not have evidence to support that all subrecipients that were required to be audited were done so properly; therefore, this could result in subrecipients required to be audited not having an audit completed. Questioned Costs: N/A Context: Total expenditures and total subrecipient expenditures for the Low-Income Home Energy Assistance program for the year ended June 30, 2023, were $78,229,389 and $17,209,504, respectively. There were 16 total subrecipients and all 5 selected for testing were unable to provide information to support due diligence procedures over subrecipients. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the WV CAD management review policies and procedures for sufficiency and commit appropriate personnel to subrecipient monitoring to ensure they are in compliance with all federal requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–003 INFORMATION TECHNOLOGY GENERAL CONTROLS – WVPATH
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the wvPATH application. As a result, wvPATH ITGCs, and therefore, wvPATH application controls, cannot be relied upon in the period of audit. Cause: Management could not provide evidence to support wvPATH ITGC processes and controls including access provisioning, revocation of access, and a review of user access. Additionally, documentation was not provided related to wvPATH application change management requests to support updates / customizations to the application were authorized, tested and approved prior to being implemented to production. There was not a clear delineation of responsibilities between the State of West Virginia and the third-party software vendor related to the support and administration of the wvPATH application and supporting infrastructure. The third-party software vendor does not issue a System and Organization Controls (SOC) report for the services provided to the State of West Virginia. Effect or Potential Effect: There is a risk the data relevant to the Foster Care – Title IV-E and Adoption Assistance – Title IV-E programs stored within the wvPATH system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the wvPATH application. As a result, the wvPATH application cannot be relied on for the audit period. Questioned Costs: None Context: Total Foster Care Title IV-E expenditures for the year ended June 30, 2023 were $72,440,416. Total Adoption Assistance expenditures for the year ended June 30, 2023 were $83,731,768. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified wvPATH access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the wvPATH application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the wvPATH application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of wvPATH user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access, including those with privileged access, to the wvPATH application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. A formal, documented process should be implemented to capture authorization, testing and production migration approvals for change requests to the wvPATH application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. For IT processes and controls that are the responsibility of the third-party software vendor, management should evaluate the need for a SOC report for control activities performed by the vendor on behalf of the State of West Virginia. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–048 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND SPECIAL TESTS AND PROVISIONS – PAYMENT RATE SETTING AND APPLICATION
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200 defines an improper payment as “any payment that should not have been made or that was made in an incorrect amount under statutory, contractual, administrative, or other legally applicable requirements. Incorrect amounts are overpayments or underpayments that are made to eligible recipients (including inappropriate denials of payment or service, any payment that does not account for credit for applicable discounts, payments that are for an incorrect amount, and duplicate payments.” 42 USC 671(a) requires that, to be eligible for payments under the Foster Care – Title IV-E program, States “shall have a plan approved by the Secretary which provides for foster care maintenance payments.” 45 CFR section 1356.21(m)(1) adds that “the title IV-E agency must review at reasonable, specific, time-limited periods to be established by the agency the amount of the payments made for foster care maintenance… to assure their continued appropriateness.” Condition: One of the 40 cases tested for allowability and payment rate setting and application resulted in an underpayment to a reimbursable provider based on the applicable approved rates. Cause: Management indicated that the errors resulted from oversights by caseworkers. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: An improper payment was made using federal funds. Questioned Costs: N/A Context: Total federal expenditures for the Foster Care Title IV-E program were $72,440,416 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR review the current staffing and training programs to ensure sufficient staff levels are maintained and adequate technical training is provided. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–049 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST Criteria or specific requirement (including statutory, regulatory, or other citation): 2 CFR 200.303 requires that the DHHR must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 1356.30(f) requires that “in order for a child care institution to be eligible for Title IV-E funding, the licensing file for the institution must contain documentation which verifies that safety considerations with respect to the staff of the institution have been addressed.” Condition: Ten of the 40 cases tested for eligibility related to providers whose licensing files did not initially include the required documentation of certain safety considerations, including criminal background checks for all adults working at the child care institution. During audit fieldwork, management obtained the required documentation related to safety considerations retained by the providers for eight of the 10 cases. Cause: Management indicated that the missing documentation was related to a misunderstanding of the requirement by licensing personnel. Effect or Potential Effect: An ineligible provider was paid using federal funds. Questioned Costs: $3,653 Context: The two cases without the required documentation represent $3,653 of Foster Care – Title IV-E payments out of a total sample of benefit payments tested for allowability and eligibility of $103,814. Total federal expenditures for the Foster Care – Title IV-E program were $72,440,416 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR obtain and maintain in the licensing file sufficient documentation from all providers to ensure compliance with required safety considerations. Additionally, we recommend that DHHR develop appropriate policies related to the supervision and review of provider licensing and safety consideration monitoring. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–003 INFORMATION TECHNOLOGY GENERAL CONTROLS – WVPATH
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Foster Care Title IV-E 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” Condition: The State of West Virginia did not implement all logical access and change management controls that are required to be in place to support effective information technology general controls (ITGCs) for the wvPATH application. As a result, wvPATH ITGCs, and therefore, wvPATH application controls, cannot be relied upon in the period of audit. Cause: Management could not provide evidence to support wvPATH ITGC processes and controls including access provisioning, revocation of access, and a review of user access. Additionally, documentation was not provided related to wvPATH application change management requests to support updates / customizations to the application were authorized, tested and approved prior to being implemented to production. There was not a clear delineation of responsibilities between the State of West Virginia and the third-party software vendor related to the support and administration of the wvPATH application and supporting infrastructure. The third-party software vendor does not issue a System and Organization Controls (SOC) report for the services provided to the State of West Virginia. Effect or Potential Effect: There is a risk the data relevant to the Foster Care – Title IV-E and Adoption Assistance – Title IV-E programs stored within the wvPATH system may be inappropriately created or modified. Effective testing of the required logical access and change management controls is to support effective ITGCs over the wvPATH application. As a result, the wvPATH application cannot be relied on for the audit period. Questioned Costs: None Context: Total Foster Care Title IV-E expenditures for the year ended June 30, 2023 were $72,440,416. Total Adoption Assistance expenditures for the year ended June 30, 2023 were $83,731,768. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: Documentation of the requestor, access rights requested, and approval should be defined and maintained for all new and modified wvPATH access requests. This documentation should allow for an audit trail of all new and transferred users ensuring that access was granted/removed from the wvPATH application. Additionally, segregation of duties should exist between the requestor/approver and grantor of the access. Management should remove the terminated user's access from the wvPATH application. Management should enhance the process of communicating terminated employees to ensure access is revoked or disabled timely. Management should ensure that a review of wvPATH user access is performed on a periodic basis (e.g., annually) to ensure user access rights remain consistent with user job responsibilities. Review procedures should be performed for all users with access, including those with privileged access, to the wvPATH application to determine access appropriateness. In addition, management should ensure that adequate documentation is maintained to provide evidence (i.e., sign-offs, hard-copy reports, etc.) of the review. A formal, documented process should be implemented to capture authorization, testing and production migration approvals for change requests to the wvPATH application and supporting infrastructure. This documentation should allow for an audit trail of all program changes ensuring that changes were appropriately authorized and administered. For IT processes and controls that are the responsibility of the third-party software vendor, management should evaluate the need for a SOC report for control activities performed by the vendor on behalf of the State of West Virginia. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–053 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
42 USC 673(a)(2) indicates that funds may be expended for adoption assistance subsidy payments made on behalf of eligible children, in accordance with a written and binding adoption assistance agreement. Subsidy payments are made to adoptive parents based on the need(s) of the child (i.e., developmental, cognitive, emotional behavioral) and the circumstances of the adopting parents. Condition: Four of the 40 cases tested for allowability and eligibility resulted in a disbursement that was not related to the Adoption Assistance – Title IV-E program due to a clerical error, which caused certain benefit payments to be paid out of the incorrect federal assistance listing number. One of the 40 cases tested for allowability and eligibility resulted in an overpayment. Cause: Management indicated that the payments were caused by clerical errors. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Ineligible or unallowable claims were paid using federal funds. Questioned Costs: $2,446 Context: The five instances represent $2,446 of adoption assistance payments out of a total sample of benefit payments tested for allowability and eligibility of $53,146. Total federal expenditures for the Adoption Assistance program were $83,731,768 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR implement internal controls to review all benefit payments to ensure they are coded correctly and the proper amount of benefits are paid out of the correct federal assistance listing number. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–052 SUBRECIPIENT CASH MANAGEMENT
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744, Grant Award 5H79TI083313, Grant Award 1H79TI083313, Grant Award 6H79TI083313 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be following guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.305(b)(1) requires that the non-federal entity must “monitor cash drawdowns by their subrecipients to ensure that the time elapsing between the transfer of federal funds to the subrecipient and their disbursement for program purposes is minimized as required by the applicable cash management requirements in the federal award to the recipient.” Per DHHR policy, the Spending Unit shall limit cash advances to a subrecipient to the minimum amounts needed and be timed in accordance with the actual, immediate cash requirements of the subrecipient for carrying out the purpose of the approved program or project. The timing and amount of cash advances shall be as close as is administratively feasible to the actual disbursements by the subrecipient for direct program or project costs and the proportionate share of any allowable indirect costs. Condition: During testing of the State Targeted Response to the Opioid Crisis Grants, for 3 of the 40 disbursements selected for testing the approval of the reconciliation of grantee drawdowns and expenses was not reviewed prior to the payment of the subrecipient invoice. Further for 1 of the 40 disbursements selected for testing, information supporting why the subrecipient drawdown was approved for payment was not adequate. Supporting information indicates the grantee had excess cash balances on hand prior to the draw and there was no formal documentation of a program manager’s justification to allow the draw therefore the state was not minimizing the time between the transfer of funds to the subrecipient and the subrecipient’s expenditure of the funds. Cause: Internal controls are not operating effectively surrounding the approval of subrecipient cash disbursements. Supporting documentation was not retained to demonstrate cash advances to the subrecipient represented the minimum amount needed for actual and immediate cash requirements of the subrecipient for carrying out the purpose of the program. Effect or Potential Effect: The cash remitted to the subrecipient may not be accurate and may be in excess of the subrecipients actual and immediate cash requirements for carrying out the purpose of the program. Questioned Costs: $188,484, Opioid STR 93.788 Context: The total subrecipient drawdowns selected for testing was $8,073,637. The total amount of subrecipient drawdowns for the Opioid STR program was $32,972,268 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–038 Recommendation: We recommend that DHHR establish policies and procedures requiring documentation from subrecipients substantiating that the amount of a drawdown is appropriate based on the expenditures through the request date so that the reconciliation preformed for the related drawdown is sufficient to determine that the drawdown is appropriate and excess cash is not remitted to the subrecipient. Views of Responsible Officials: Management concurs with the findings and has developed a plan to correct the finding.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–042 SPECIAL TESTS AND PROVISIONS – PROVIDER ELIGIBILITY FOR ARP ACT STABILIZATION FUNDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to Pub L 117-2 Sec. 2201: “To be qualified to receive ARP Act stabilization funds, a provider on the date of application for the award must either be: (1) open and available to provide child care services, or (2) closed due to public health, financial hardship, or other reasons relating to the COVID-19 public health emergency. In addition, the provider must either (1) be eligible to serve children who receive CCDF subsidies at the time of application for stabilization funds, or (2) be licensed, regulated, or registered in the state, territory, or tribe as of March 11, 2021 and meet applicable state and local health and safety requirements at the time of application for stabilization funds. In their application for stabilization funds, a child care provider must certify: a). That the provider will, when open and providing services, implement policies in line with guidance and orders from corresponding state, territorial, tribal, and local authorities and, to the greatest extent possible, implement policies in line with guidance from the CDC. b). For each employee, the provider must pay at least the same amount in weekly wages and maintain the same benefits for the duration of the stabilization funding. c). The provider will provide relief from copayments and tuition payments for the families enrolled in the provider’s program, to the extent possible, and prioritize such relief for families struggling to make either type of payment.” Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the review and approval of provider certifications in the application for funding and review and approval of verification of eligibility criteria; however, adequate documentation to support the review was not maintained. In addition, 2 of the 40 selected did not have a Provider Service Agreement that was completed and 1 of the 40 Provider Service Agreements did not have evidence of provider’s required certifications available. Cause: Internal controls are not operating effectively surrounding the review and approval of provider certifications and verification of eligibility criteria. Effect or Potential Effect: Providers who received ARP Act Stabilization funds may not have met the eligibility criteria or made the required certifications. Questioned Costs: N/A Context: Total federal expenditures for CCDF Cluster for the fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: Prior Year Finding 2022–026 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review and approval of provider certifications and eligibility criteria. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–043 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that one report was not submitted by the State of West Virginia Child Care Development Fund (DHHR) program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting by DHHR management. Effect or Potential Effect: DHHR management did not report the necessary FFATA report for Child Care first-tier subawards over $30,000 to The FFATA Subaward Reporting System in a timely fashion for one report. Questioned Costs: N/A Context: Subawards for the Child Care program included 10 subawards which had payments totaling $45,239,361 for the year ended June 30, 2023. The federal expenditures for the Child Care program for the fiscal year ended June 30, 2023 were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–044 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2201WVCCDD, Grant Award 2101WVCCDF, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The allowability compliance requirements of the Child Care and Development Fund (CCDF) Cluster require the West Virginia Department of Health and Human Resources (DHHR) to conform to the following criteria contained in 2 CFR Part 200: “Costs did not consist of improper payments, including (1) payments that should not have been made or that were made in incorrect amounts (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; (2) payments that do not account for credit for applicable discounts; (3) duplicate payments; (4) payments that were made to an ineligible party or for an ineligible good or service; and (5) payments for goods or services not received (except for such payments where authorized by law). Costs were necessary and reasonable for the performance of the Federal award and allocable under the principles of 2 CFR part 200, subpart E. Costs were adequately documented.” Condition: Benefits paid to or on behalf of the individuals were calculated correctly and in compliance with the requirements of the program. We noted benefits were not paid in accordance with 2 CFR Part 200 (1) during the testing of 40 payments to providers for eligibility and allowability, as follows: • For 1 of the 40 payments, records indicate the child was covered under a Child Protective Services (CPS) safety plan. However, the $3 daily supplement was not included in the calculation or paid, resulting in an underpayment of $170. • For 1 of the 40 payments, the provider requested payment and was paid for 13 non-traditional days, however records indicate only 11 of the 13 days were non-traditional, resulting in an overpayment of $12. Cause: Management indicated that the errors were due to caseworker oversight. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Payments were not given consistent treatment, potentially resulting in overpayment or underpayment to providers. Questioned Costs: $12 Assistance Listing # 93.575 (Grant Award 2301WVCCDF) Context: The total of all benefit payments tested was $25,385. Total provider payments for the CCDF Cluster for the fiscal year ended June 30, 2023 were $157,188,419. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate the effectiveness of the current training programs for the use of the Families and Children Tracking System (FACTS) (and subsequently West Virginia People's Access to Help (WV PATH) systems for CCDF payments). Furthermore, DHHR should follow established policies and procedures to ensure client information and the number of days are input correctly. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–045 SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT
Federal Program Information: Federal Agency and Program Name CFDA# U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/93.596 COVID-19 93.575, Grant Award 2201WVCCDD, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 states that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.” Lead Agencies shall recover child care payments that are the result of fraud. These payments shall be recovered from the party responsible for committing the fraud. (45 CFR section 98.60). Condition: Current policies indicate the DHHR refers potentially fraudulent payments to the Office of the Inspector General (OIG) for investigation. When an investigation results in a determination of fraud, a repayment plan is required to be established and tracked. However, documentation of the review of the listing of cases referred for investigation, including the status was not available. For one of the five closed investigations selected, a repayment plan was approved however repayments were not received and documentation of action taken was not available. For two of the five closed investigations selected, documentation for approval of the repayment plan, repayments received, or other follow-up action taken was not available. Therefore, the auditor was unable to reach a conclusion. Cause: Staff turnover in recent years in Departments responsible for this process caused inconsistencies in the way investigation of potentially fraudulent claims were identified, documented, and reported. Effect or Potential Effect: Payments resulting from fraud may not have been identified, and the proper procedures to establish repayment or recovery may not have occurred in a reasonable amount of time. Questioned Costs: $16,103 Context: Total federal expenditures for the CCDF Cluster for fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: The DHHR should work with the OIG to ensure its internal controls and policies and procedures are robust and include sufficient documentation of oversight and review to ensure fraudulent claims are identified and tracked beginning in the year of identification and continuing through the establishment and enforcement of repayment agreements. Additionally, status monitoring of cases referred for investigation should be documented, and follow-up completed timely. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–042 SPECIAL TESTS AND PROVISIONS – PROVIDER ELIGIBILITY FOR ARP ACT STABILIZATION FUNDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to Pub L 117-2 Sec. 2201: “To be qualified to receive ARP Act stabilization funds, a provider on the date of application for the award must either be: (1) open and available to provide child care services, or (2) closed due to public health, financial hardship, or other reasons relating to the COVID-19 public health emergency. In addition, the provider must either (1) be eligible to serve children who receive CCDF subsidies at the time of application for stabilization funds, or (2) be licensed, regulated, or registered in the state, territory, or tribe as of March 11, 2021 and meet applicable state and local health and safety requirements at the time of application for stabilization funds. In their application for stabilization funds, a child care provider must certify: a). That the provider will, when open and providing services, implement policies in line with guidance and orders from corresponding state, territorial, tribal, and local authorities and, to the greatest extent possible, implement policies in line with guidance from the CDC. b). For each employee, the provider must pay at least the same amount in weekly wages and maintain the same benefits for the duration of the stabilization funding. c). The provider will provide relief from copayments and tuition payments for the families enrolled in the provider’s program, to the extent possible, and prioritize such relief for families struggling to make either type of payment.” Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the review and approval of provider certifications in the application for funding and review and approval of verification of eligibility criteria; however, adequate documentation to support the review was not maintained. In addition, 2 of the 40 selected did not have a Provider Service Agreement that was completed and 1 of the 40 Provider Service Agreements did not have evidence of provider’s required certifications available. Cause: Internal controls are not operating effectively surrounding the review and approval of provider certifications and verification of eligibility criteria. Effect or Potential Effect: Providers who received ARP Act Stabilization funds may not have met the eligibility criteria or made the required certifications. Questioned Costs: N/A Context: Total federal expenditures for CCDF Cluster for the fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: Prior Year Finding 2022–026 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review and approval of provider certifications and eligibility criteria. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–043 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that one report was not submitted by the State of West Virginia Child Care Development Fund (DHHR) program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting by DHHR management. Effect or Potential Effect: DHHR management did not report the necessary FFATA report for Child Care first-tier subawards over $30,000 to The FFATA Subaward Reporting System in a timely fashion for one report. Questioned Costs: N/A Context: Subawards for the Child Care program included 10 subawards which had payments totaling $45,239,361 for the year ended June 30, 2023. The federal expenditures for the Child Care program for the fiscal year ended June 30, 2023 were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–044 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2201WVCCDD, Grant Award 2101WVCCDF, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The allowability compliance requirements of the Child Care and Development Fund (CCDF) Cluster require the West Virginia Department of Health and Human Resources (DHHR) to conform to the following criteria contained in 2 CFR Part 200: “Costs did not consist of improper payments, including (1) payments that should not have been made or that were made in incorrect amounts (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; (2) payments that do not account for credit for applicable discounts; (3) duplicate payments; (4) payments that were made to an ineligible party or for an ineligible good or service; and (5) payments for goods or services not received (except for such payments where authorized by law). Costs were necessary and reasonable for the performance of the Federal award and allocable under the principles of 2 CFR part 200, subpart E. Costs were adequately documented.” Condition: Benefits paid to or on behalf of the individuals were calculated correctly and in compliance with the requirements of the program. We noted benefits were not paid in accordance with 2 CFR Part 200 (1) during the testing of 40 payments to providers for eligibility and allowability, as follows: • For 1 of the 40 payments, records indicate the child was covered under a Child Protective Services (CPS) safety plan. However, the $3 daily supplement was not included in the calculation or paid, resulting in an underpayment of $170. • For 1 of the 40 payments, the provider requested payment and was paid for 13 non-traditional days, however records indicate only 11 of the 13 days were non-traditional, resulting in an overpayment of $12. Cause: Management indicated that the errors were due to caseworker oversight. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Payments were not given consistent treatment, potentially resulting in overpayment or underpayment to providers. Questioned Costs: $12 Assistance Listing # 93.575 (Grant Award 2301WVCCDF) Context: The total of all benefit payments tested was $25,385. Total provider payments for the CCDF Cluster for the fiscal year ended June 30, 2023 were $157,188,419. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate the effectiveness of the current training programs for the use of the Families and Children Tracking System (FACTS) (and subsequently West Virginia People's Access to Help (WV PATH) systems for CCDF payments). Furthermore, DHHR should follow established policies and procedures to ensure client information and the number of days are input correctly. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–045 SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT
Federal Program Information: Federal Agency and Program Name CFDA# U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/93.596 COVID-19 93.575, Grant Award 2201WVCCDD, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 states that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.” Lead Agencies shall recover child care payments that are the result of fraud. These payments shall be recovered from the party responsible for committing the fraud. (45 CFR section 98.60). Condition: Current policies indicate the DHHR refers potentially fraudulent payments to the Office of the Inspector General (OIG) for investigation. When an investigation results in a determination of fraud, a repayment plan is required to be established and tracked. However, documentation of the review of the listing of cases referred for investigation, including the status was not available. For one of the five closed investigations selected, a repayment plan was approved however repayments were not received and documentation of action taken was not available. For two of the five closed investigations selected, documentation for approval of the repayment plan, repayments received, or other follow-up action taken was not available. Therefore, the auditor was unable to reach a conclusion. Cause: Staff turnover in recent years in Departments responsible for this process caused inconsistencies in the way investigation of potentially fraudulent claims were identified, documented, and reported. Effect or Potential Effect: Payments resulting from fraud may not have been identified, and the proper procedures to establish repayment or recovery may not have occurred in a reasonable amount of time. Questioned Costs: $16,103 Context: Total federal expenditures for the CCDF Cluster for fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: The DHHR should work with the OIG to ensure its internal controls and policies and procedures are robust and include sufficient documentation of oversight and review to ensure fraudulent claims are identified and tracked beginning in the year of identification and continuing through the establishment and enforcement of repayment agreements. Additionally, status monitoring of cases referred for investigation should be documented, and follow-up completed timely. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–002 DHHR INFORMATION SYSTEM AND RELATED BUSINESS PROCESS CONTROLS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Agriculture Supplemental Nutrition Assistance Program (SNAP Cluster) 10.551/10.561/COVID-19 10.561, Grant Award 1WV400401, Grant Award 1WV430459, Grant Award 1WV430469, Grant Award 1WV460479,
U.S. Department of Health and Human Services Temporary Assistance for Needy Families (TANF) 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF, Child Care and Development Fund (CCDF) Cluster, 93.575/93.596/COVID 19 93.575, Grant Award 2201WVCCDF, Grant Award 2201WVCCDM, Grant Award 2201WVCCDD, Grant Award 2301WVCCDF, Grant Award 2301WVCCDM, Grant Award 2301WVCCDD, Foster Care Title IV-E, 93.658, Grant Award 2201WVFOST, Grant Award 2301WVFOST, Adoption Assistance 93.659, Grant Award 2201WVADPT, Grant Award 2301WVADPT
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
Condition: Family and Children Tracking System (FACTS): West Virginia Department of Health and Human Resources (DHHR) operates a wide variety of computer applications, many of which affect federal and State programs’ data. Our review of the information system controls noted that adequate segregation of duties does not exist for the FACTS information system. Certain users have the ability to both create and approve cases. We noted that management implemented a mitigating detect control for the Foster Care program during fiscal year 2012 in response to this repeat finding; however, it was not designed to encompass the Adoption Assistance program or automatic payments in the Foster Care program. Additionally, no supervisory review is required for provider payment information input into the system. Recipient Automated Payment Information Data System (RAPIDS): Our testing of the controls surrounding eligibility determination noted that adequate segregation of duties does not exist for the RAPIDS system. In addition, no supervisory review is required for case information input into the system. Further, it was noted that approval of disbursements only occurs at the batch level, which does not allow the approver to review each transaction individually. Cause: Controls have not been implemented over the segregation of duties within RAPIDS and FACTS. Furthermore, management indicated that a lack of personnel resources contributes to the improper segregation of duties issue. Effect or Potential Effect: Without proper segregation of duties or adequate detect controls, the ability exists for certain information system users to create and approve cases and demand payments within the FACTS and RAPIDS applications. Information can be input into the FACTS and RAPIDS applications or modified within the applications without supervisory review, which could lead to payments being made to ineligible applicants, for the improper amount, or for an improper length of time. Without proper segregation of duties or adequate detect controls, the ability exists for case workers to input unsupported information into an applicant’s eligibility calculation within RAPIDS. Further, without supervisory review at the transactional level, disbursements for unallowable costs or activities could occur. Questioned Costs: N/A Context: Total federal expenditures for these programs can be located in the Schedule of Expenditures of Federal Awards. Identification as a Repeat Finding: Prior Year Findings 2022–001 and 2021–001
Recommendation: We recommend that access to various FACTS and RAPIDS system applications be restricted to a limited number of users. Controls should be established to ensure that an individual is limited to either creating or approving cases or payments. A detect control should be implemented that would require a review of all individual cases and payments with the same request and approval worker to ensure that cases and payments created and approved were appropriate. Further, we recommend that a formal review process be implemented to ensure that information input into FACTS and RAPIDS is properly reviewed by authorized individuals prior to payment. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–004 INTERNAL CONTROLS OVER SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Opioid STR 93.788, Grant Award 1H79TI085744-01, Grant Award 1H79TI083313-01, Grant Award 6H79TI083313-02M002, Grant Award 6H79TI083313-02M004, Grant Award 5H79TI083313-02 Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) 93.323/COVID-19 93.323, Grant Award 6NU50CK000551-01-05, Grant Award 5NU50CK000551-C2-00, Grant Award 6NU50CK000551-02-01, Grant Award 6NU50CK000551-02-02, Grant Award 6NU50CK000551-03-05, Grant Award 6NU50CK000551-03-02, Grant Award 6NU50CK000551-02-04, Grant Award 6NU50CK000551-02-08, Grant Award 6NU50CK000551-02-06, Grant Award 6NU50CK000551-03-01, Grant Award 6NU50CK000551-01-07, Grant Award 6NU50CK000551-02-03, Grant Award 6NU50CK000551-01-06, Grant Award 5NU50CK000551-04-00, Grant Award 6NU50CK000551-04-02, Grant Award 6NU50CK000551-04-04, Child Care and Development Fund (CCDF) Cluster 93.575/93.596/COVID-19 93.575, Grant Award G2201WVCCDF, Grant Award G2301WVCCDF Temporary Assistance for Needy Families 93.558/COVID-19 93.558, Grant Award 2201WVTANF, Grant Award 2301WVTANF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: During our internal control testing of subrecipient monitoring, we determined that the subrecipient risk assessment performed did not clearly conclude the level of risk assessed (Low, Medium, High) for each subrecipient. Cause: The internal controls over subrecipient monitoring are not designed sufficiently to require a conclusion to be reached on a subrecipient’s risk assessment to determine the level of monitoring required to be performed. Effect or Potential Effect: Subrecipients may not be properly risk assessed; therefore, impacting the type and amount of monitoring that would be performed in the future. Questioned Costs: N/A Context: The federal expenditures and subrecipient expenditures for the Opioid STR program for the fiscal year ended June 30, 2023, were $34,877,309 and $32,388,417, respectively. The federal expenditures and subrecipient expenditures for the Child Care and Development Fund (CCDF Cluster) for the fiscal year ended June 30, 2023, were $202,427,780 and $45,239,361, respectively. The federal expenditures and subrecipient expenditures for the Temporary Assistance for Needy Families for the fiscal year ended June 30, 2023, were $85,510,454, and $18,789,521, respectively. Identification as a Repeat Finding: Prior Year Finding 2022–041 Recommendation: We recommend that DHHR management review its internal controls over the risk assessment process to perform the risk assessment and conclude on the level of risk and monitoring required. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–042 SPECIAL TESTS AND PROVISIONS – PROVIDER ELIGIBILITY FOR ARP ACT STABILIZATION FUNDS
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to Pub L 117-2 Sec. 2201: “To be qualified to receive ARP Act stabilization funds, a provider on the date of application for the award must either be: (1) open and available to provide child care services, or (2) closed due to public health, financial hardship, or other reasons relating to the COVID-19 public health emergency. In addition, the provider must either (1) be eligible to serve children who receive CCDF subsidies at the time of application for stabilization funds, or (2) be licensed, regulated, or registered in the state, territory, or tribe as of March 11, 2021 and meet applicable state and local health and safety requirements at the time of application for stabilization funds. In their application for stabilization funds, a child care provider must certify: a). That the provider will, when open and providing services, implement policies in line with guidance and orders from corresponding state, territorial, tribal, and local authorities and, to the greatest extent possible, implement policies in line with guidance from the CDC. b). For each employee, the provider must pay at least the same amount in weekly wages and maintain the same benefits for the duration of the stabilization funding. c). The provider will provide relief from copayments and tuition payments for the families enrolled in the provider’s program, to the extent possible, and prioritize such relief for families struggling to make either type of payment.” Condition: The West Virginia Department of Health & Human Resources (DHHR) has policies and procedures in place surrounding the review and approval of provider certifications in the application for funding and review and approval of verification of eligibility criteria; however, adequate documentation to support the review was not maintained. In addition, 2 of the 40 selected did not have a Provider Service Agreement that was completed and 1 of the 40 Provider Service Agreements did not have evidence of provider’s required certifications available. Cause: Internal controls are not operating effectively surrounding the review and approval of provider certifications and verification of eligibility criteria. Effect or Potential Effect: Providers who received ARP Act Stabilization funds may not have met the eligibility criteria or made the required certifications. Questioned Costs: N/A Context: Total federal expenditures for CCDF Cluster for the fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: Prior Year Finding 2022–026 Recommendation: We recommend that DHHR management maintain sufficient documentation to evidence its review and approval of provider certifications and eligibility criteria. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–043 TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2022 – 2201WVCCDD, Grant Award 2022 – 2201WVCCDF, Grant Award 2023 – 2301WVCCDD, Grant Award 2023 – 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.” Under the requirements of the Federal Funding Accountability and Transparency Act (Pub. L. No. 109-282) (Transparency Act) that are codified in 2 CFR Part 170, “unless the auditee is exempt as provided in paragraph d. of this award term, the auditee must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency no later than the end of the month following the month in which the obligation was made.” Recipients of grants or cooperative agreements are required to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS) per submission instructions posted at http://www.fsrs.gov. Condition: During our testing of Federal Funding Accountability and Transparency Act (FFATA) Reports, it was noted that one report was not submitted by the State of West Virginia Child Care Development Fund (DHHR) program management within the timeframe designated in 2 CFR 170 Appendix A.
Cause: A lack of oversight and adequate review of the FFATA reporting by DHHR management. Effect or Potential Effect: DHHR management did not report the necessary FFATA report for Child Care first-tier subawards over $30,000 to The FFATA Subaward Reporting System in a timely fashion for one report. Questioned Costs: N/A Context: Subawards for the Child Care program included 10 subawards which had payments totaling $45,239,361 for the year ended June 30, 2023. The federal expenditures for the Child Care program for the fiscal year ended June 30, 2023 were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that strengthen internal controls and policies and procedures over FFATA reporting to ensure they are in compliance with the federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–044 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES AND ELIGIBILITY
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/COVID-19 93.575/93.596, Grant Award 2201WVCCDD, Grant Award 2101WVCCDF, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).” The allowability compliance requirements of the Child Care and Development Fund (CCDF) Cluster require the West Virginia Department of Health and Human Resources (DHHR) to conform to the following criteria contained in 2 CFR Part 200: “Costs did not consist of improper payments, including (1) payments that should not have been made or that were made in incorrect amounts (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements; (2) payments that do not account for credit for applicable discounts; (3) duplicate payments; (4) payments that were made to an ineligible party or for an ineligible good or service; and (5) payments for goods or services not received (except for such payments where authorized by law). Costs were necessary and reasonable for the performance of the Federal award and allocable under the principles of 2 CFR part 200, subpart E. Costs were adequately documented.” Condition: Benefits paid to or on behalf of the individuals were calculated correctly and in compliance with the requirements of the program. We noted benefits were not paid in accordance with 2 CFR Part 200 (1) during the testing of 40 payments to providers for eligibility and allowability, as follows: • For 1 of the 40 payments, records indicate the child was covered under a Child Protective Services (CPS) safety plan. However, the $3 daily supplement was not included in the calculation or paid, resulting in an underpayment of $170. • For 1 of the 40 payments, the provider requested payment and was paid for 13 non-traditional days, however records indicate only 11 of the 13 days were non-traditional, resulting in an overpayment of $12. Cause: Management indicated that the errors were due to caseworker oversight. Internal controls are not suitably designed to review and approve disbursements. Effect or Potential Effect: Payments were not given consistent treatment, potentially resulting in overpayment or underpayment to providers. Questioned Costs: $12 Assistance Listing # 93.575 (Grant Award 2301WVCCDF) Context: The total of all benefit payments tested was $25,385. Total provider payments for the CCDF Cluster for the fiscal year ended June 30, 2023 were $157,188,419. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should evaluate the effectiveness of the current training programs for the use of the Families and Children Tracking System (FACTS) (and subsequently West Virginia People's Access to Help (WV PATH) systems for CCDF payments). Furthermore, DHHR should follow established policies and procedures to ensure client information and the number of days are input correctly. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–045 SPECIAL TESTS AND PROVISIONS – FRAUD DETECTION AND REPAYMENT
Federal Program Information: Federal Agency and Program Name CFDA# U.S. Department of Health and Human Services Child Care Disaster Relief/Child Care Development Block Grant/Child Care Mandatory and Matching Funds of the Child Care Development Fund (CCDF Cluster) 93.575/93.596 COVID-19 93.575, Grant Award 2201WVCCDD, Grant Award 2201WVCCDF, Grant Award 2301WVCCDD, Grant Award 2301WVCCDF
Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 states that the non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (b) Comply with Federal statutes, regulations, and the terms and conditions of the Federal awards. (c) Evaluate and monitor the non-Federal entity’s compliance with statute, regulations and the terms and conditions of Federal awards. (d) Take prompt action when instances of noncompliance are identified including noncompliance identified in audit findings. (e) Take reasonable measures to safeguard protected personally identifiable information and other information the Federal awarding agency or pass-through entity designates as sensitive or the non-Federal entity considers sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality.” Lead Agencies shall recover child care payments that are the result of fraud. These payments shall be recovered from the party responsible for committing the fraud. (45 CFR section 98.60). Condition: Current policies indicate the DHHR refers potentially fraudulent payments to the Office of the Inspector General (OIG) for investigation. When an investigation results in a determination of fraud, a repayment plan is required to be established and tracked. However, documentation of the review of the listing of cases referred for investigation, including the status was not available. For one of the five closed investigations selected, a repayment plan was approved however repayments were not received and documentation of action taken was not available. For two of the five closed investigations selected, documentation for approval of the repayment plan, repayments received, or other follow-up action taken was not available. Therefore, the auditor was unable to reach a conclusion. Cause: Staff turnover in recent years in Departments responsible for this process caused inconsistencies in the way investigation of potentially fraudulent claims were identified, documented, and reported. Effect or Potential Effect: Payments resulting from fraud may not have been identified, and the proper procedures to establish repayment or recovery may not have occurred in a reasonable amount of time. Questioned Costs: $16,103 Context: Total federal expenditures for the CCDF Cluster for fiscal year ended June 30, 2023, were $202,427,780. Identification as a Repeat Finding: This is not a repeat finding from prior year. Recommendation: The DHHR should work with the OIG to ensure its internal controls and policies and procedures are robust and include sufficient documentation of oversight and review to ensure fraudulent claims are identified and tracked beginning in the year of identification and continuing through the establishment and enforcement of repayment agreements. Additionally, status monitoring of cases referred for investigation should be documented, and follow-up completed timely. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–051 SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR 95.621 requires State Medicaid Agencies (SMAs) “shall review the Automated Data Processing (ADP) system security installations involved in the administration of the Secretary of the U.S. Department of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews.” States agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. As part of complying with the above requirement, a state may obtain a statement on Standards for Attestation Engagements (AT) Section 801, Reporting on Controls at a Service Organization Service Organization Control (SOC) 1 type 2 report from its service organization (if the state has a service organization). The specific areas covered by a SOC 1 type 2 report differ according to each individual service organization’s operations; however, in every instance, the type 2 report procedures assess the sufficiency of the design of an organization’s controls and test their effectiveness.
Condition: The West Virginia Department of Health & Human Resources (DHHR) utilizes two ADP systems related to Medicaid: RAPIDS and West Virginia’s Medicaid Management Information System (MMIS). DHHR does not have policies and procedures established to perform periodic risk assessments and security reviews over MMIS. As this system utilizes sub-systems (Health PAS Solution) with automated components that directly affect the Medicaid cluster of programs, it meets the criteria stated above from 45 CFR 95.621. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for MMIS annually, but DHHR did not sufficiently document their review of the service organization’s controls and overall effectiveness of each control, in order to meet the aforementioned criteria for conducting a periodic risk analysis over each ADP system, per 45 CFR 95.621. Cause: Management’s policies and procedures surrounding the review of the MMIS SOC 1 Type 2 report related to assessing risk and system security do not include the retention of documentation outlining what was reviewed and the results of the review. Effect or Potential Effect: There could be risks related to physical and data security operating procedures, and personnel practices that are not identified timely and appropriately addressed. Questioned Costs: N/A Context: The federal expenditures for the Medicaid program for the fiscal year ended June 30, 2022, were $4,622,001,554. Identification as a Repeat Finding: Prior Year Finding 2022–037 Recommendation: DHHR should enhance its policies and procedures related to the review of the MMIS SOC 1 Type 2 report to ensure that appropriate documentation is retained in order to meet the criteria of an ADP periodic risk assessment and security review of WVMMIS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–051 SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR 95.621 requires State Medicaid Agencies (SMAs) “shall review the Automated Data Processing (ADP) system security installations involved in the administration of the Secretary of the U.S. Department of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews.” States agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. As part of complying with the above requirement, a state may obtain a statement on Standards for Attestation Engagements (AT) Section 801, Reporting on Controls at a Service Organization Service Organization Control (SOC) 1 type 2 report from its service organization (if the state has a service organization). The specific areas covered by a SOC 1 type 2 report differ according to each individual service organization’s operations; however, in every instance, the type 2 report procedures assess the sufficiency of the design of an organization’s controls and test their effectiveness.
Condition: The West Virginia Department of Health & Human Resources (DHHR) utilizes two ADP systems related to Medicaid: RAPIDS and West Virginia’s Medicaid Management Information System (MMIS). DHHR does not have policies and procedures established to perform periodic risk assessments and security reviews over MMIS. As this system utilizes sub-systems (Health PAS Solution) with automated components that directly affect the Medicaid cluster of programs, it meets the criteria stated above from 45 CFR 95.621. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for MMIS annually, but DHHR did not sufficiently document their review of the service organization’s controls and overall effectiveness of each control, in order to meet the aforementioned criteria for conducting a periodic risk analysis over each ADP system, per 45 CFR 95.621. Cause: Management’s policies and procedures surrounding the review of the MMIS SOC 1 Type 2 report related to assessing risk and system security do not include the retention of documentation outlining what was reviewed and the results of the review. Effect or Potential Effect: There could be risks related to physical and data security operating procedures, and personnel practices that are not identified timely and appropriately addressed. Questioned Costs: N/A Context: The federal expenditures for the Medicaid program for the fiscal year ended June 30, 2022, were $4,622,001,554. Identification as a Repeat Finding: Prior Year Finding 2022–037 Recommendation: DHHR should enhance its policies and procedures related to the review of the MMIS SOC 1 Type 2 report to ensure that appropriate documentation is retained in order to meet the criteria of an ADP periodic risk assessment and security review of WVMMIS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–050 INTERNAL CONTROL OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES, SPECIAL TEST AND PROVISIONS – PROVIDER ENROLLMENT & SPECIAL TEST AND PROVISIONS: PROVIDER HEALTH AND SAFETY STANDARDS (MEDICAID ONLY)
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP; Children’s Health Insurance Program (CHIP) 93.767, Grant Award 2005WV5021, Grant Award 2105WV5021, Grant Award 2205WV5021 Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: West Virginia Department of Health and Human Resources (DHHR) contracts a third-party service organization (Gainwell Technologies LLC) to design and maintain the WV Medicaid Management Information System (WVMMIS) and perform various functions related to the processing of claims for both the Medicaid and CHIP programs. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for WVMMIS annually. DHHR’s internal controls over the review of the report did not identify the report had a qualified opinion. Therefore, management did not appropriately address the risk of DHHR relying on the data within WVMMIS. Cause: Management’s design of the internal controls over the annual review of the WVMMIS SOC 1 Type 2 report was not suitably designed to assess the type of opinion issued and the control exceptions identified and then implement appropriate actions for any adverse items noted. Effect or Potential Effect: WVMMIS relied on the WVMMIS SOC 1 Type 2 report that had a qualified opinion. Questioned Costs: N/A Context: The federal expenditures for the Medicaid and CHIP programs for the fiscal year ended June 30, 2023, were $4,622,001,554 and $72,568,219, respectively. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: DHHR should develop internal controls to outline the key components of the SOC 1 Type 2 report to ensure the review appropriately identifies internal controls issues timely to ensure they are addressed timely. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–051 SPECIAL TESTS AND PROVISIONS – ADP RISK ANALYSIS & SYSTEM SECURITY REVIEW
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Health and Human Services Medicaid Cluster 93.775/93.777/93.778, Grant Award 2005WVINCT, Grant Award 1905WV5MAP, Grant Award 2005WV5ADM, Grant Award 2005WVIMPL, Grant Award 2005WV5MAP, Grant Award 2105WV5MAP, Grant Award 2105WV5ADM, Grant Award 2105WVIMPL, Grant Award 2105WVINCT, Grant Award 2005WVINCT, Grant Award 1905WV5MAP Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR 95.621 requires State Medicaid Agencies (SMAs) “shall review the Automated Data Processing (ADP) system security installations involved in the administration of the Secretary of the U.S. Department of Health and Human Services (HHS) programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices. The SMA shall maintain reports on its biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site reviews.” States agencies must establish and maintain a program for conducting periodic risk analyses to ensure appropriate, cost-effective safeguards are incorporated into new and existing systems. As part of complying with the above requirement, a state may obtain a statement on Standards for Attestation Engagements (AT) Section 801, Reporting on Controls at a Service Organization Service Organization Control (SOC) 1 type 2 report from its service organization (if the state has a service organization). The specific areas covered by a SOC 1 type 2 report differ according to each individual service organization’s operations; however, in every instance, the type 2 report procedures assess the sufficiency of the design of an organization’s controls and test their effectiveness.
Condition: The West Virginia Department of Health & Human Resources (DHHR) utilizes two ADP systems related to Medicaid: RAPIDS and West Virginia’s Medicaid Management Information System (MMIS). DHHR does not have policies and procedures established to perform periodic risk assessments and security reviews over MMIS. As this system utilizes sub-systems (Health PAS Solution) with automated components that directly affect the Medicaid cluster of programs, it meets the criteria stated above from 45 CFR 95.621. DHHR obtains a Service Organization Controls (SOC) 1 Type 2 report for MMIS annually, but DHHR did not sufficiently document their review of the service organization’s controls and overall effectiveness of each control, in order to meet the aforementioned criteria for conducting a periodic risk analysis over each ADP system, per 45 CFR 95.621. Cause: Management’s policies and procedures surrounding the review of the MMIS SOC 1 Type 2 report related to assessing risk and system security do not include the retention of documentation outlining what was reviewed and the results of the review. Effect or Potential Effect: There could be risks related to physical and data security operating procedures, and personnel practices that are not identified timely and appropriately addressed. Questioned Costs: N/A Context: The federal expenditures for the Medicaid program for the fiscal year ended June 30, 2022, were $4,622,001,554. Identification as a Repeat Finding: Prior Year Finding 2022–037 Recommendation: DHHR should enhance its policies and procedures related to the review of the MMIS SOC 1 Type 2 report to ensure that appropriate documentation is retained in order to meet the criteria of an ADP periodic risk assessment and security review of WVMMIS. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–054 INTERNAL CONTROLS OVER TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 31 subawards selected for testing, the West Virginia Division of Emergency Management (DEM) did not review and approve the Federal Funding Accountability and Transparency Act (FFATA) reports that were submitted to Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Cause: DEM does not have adequate internal controls in place to ensure that subawards of $30,000 or more are being reported timely and accurately to FSRS. Effect or Potential Effect: DEM may report inaccurate or untimely information for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 and $65,999,232, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–042 and 2021–041 Recommendation: We recommend that DEM strengthen internal controls over FFATA reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–055 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(b) requires that all pass-through entities must: (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). 2 CFR 200.332(f) required that all pass-through entities must “verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in Section 200.501.” Condition: The School Building Authority (SBA) did not perform subrecipient risk assessments. Additionally, SBA did not verify if subrecipients subject to be audited per 2 CFR 200.332(f) were audited as required. Cause: SBA does not have proper policies and procedures in place surrounding the subrecipient monitoring compliance requirements. Effect or Potential Effect: SBA is not in compliance with the subrecipient monitoring compliance requirements. Questioned Costs: Unknown Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. SBA had two subrecipients with subrecipient expenditures totaling $45,615,370 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–043 Recommendation: We recommend that SBA implement policies and procedures surrounding subrecipient monitoring to ensure they are in compliance with the subrecipient monitoring compliance requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–056 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 40 payroll transactions selected for testing at the West Virginia Military Authority (the Authority), there was no documentation that the employee’s time worked was reviewed and approved. Cause: The Authority does not have adequate internal controls and policies and procedures in place to ensure all payroll transactions are reviewed and approved. Effect or Potential Effect: The Authority may not identify noncompliance with federal statues, regulations, and terms of the conditions of the federal award including allowability. Expenditures may be paid that are not allowable. Questioned Costs: N/A Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127, for the year ended June 30, 2023. Total payroll charged to the grant at the Authority was $2,221,140. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Authority implement controls to ensure that expenditures are properly reviewed and approved before being charged to a federal award. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–057 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Health and Human Resources (DHHR) paid invoices to a third party vendor that were approved for payment without verifying the invoices for accuracy. Cause: DHHR does not have proper internal controls in place to ensure that invoices are verified for accuracy prior to payment. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $3,464,213 Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR implement proper internal controls to ensure that all invoices are accurate. and costs are allowable under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–054 INTERNAL CONTROLS OVER TRANSPARENCY ACT REPORTING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 31 subawards selected for testing, the West Virginia Division of Emergency Management (DEM) did not review and approve the Federal Funding Accountability and Transparency Act (FFATA) reports that were submitted to Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Cause: DEM does not have adequate internal controls in place to ensure that subawards of $30,000 or more are being reported timely and accurately to FSRS. Effect or Potential Effect: DEM may report inaccurate or untimely information for first-tier subawards of $30,000 or more causing them not to be in compliance with federal reporting requirements. Questioned Costs: N/A Context: Total federal expenditures and total subrecipient expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 and $65,999,232, respectively, for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Findings 2022–042 and 2021–041 Recommendation: We recommend that DEM strengthen internal controls over FFATA reporting to ensure they are in compliance with federal reporting requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–055 SUBRECIPIENT MONITORING
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.332(b) requires that all pass-through entities must: (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency). 2 CFR 200.332(f) required that all pass-through entities must “verify that every subrecipient is audited as required by Subpart F of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in Section 200.501.” Condition: The School Building Authority (SBA) did not perform subrecipient risk assessments. Additionally, SBA did not verify if subrecipients subject to be audited per 2 CFR 200.332(f) were audited as required. Cause: SBA does not have proper policies and procedures in place surrounding the subrecipient monitoring compliance requirements. Effect or Potential Effect: SBA is not in compliance with the subrecipient monitoring compliance requirements. Questioned Costs: Unknown Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. SBA had two subrecipients with subrecipient expenditures totaling $45,615,370 for the year ended June 30, 2023. Identification as a Repeat Finding: Prior Year Finding 2022–043 Recommendation: We recommend that SBA implement policies and procedures surrounding subrecipient monitoring to ensure they are in compliance with the subrecipient monitoring compliance requirements. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.
2023–056 INTERNAL CONTROLS OVER ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that a non-federal entity must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Condition: For 21 of the 40 payroll transactions selected for testing at the West Virginia Military Authority (the Authority), there was no documentation that the employee’s time worked was reviewed and approved. Cause: The Authority does not have adequate internal controls and policies and procedures in place to ensure all payroll transactions are reviewed and approved. Effect or Potential Effect: The Authority may not identify noncompliance with federal statues, regulations, and terms of the conditions of the federal award including allowability. Expenditures may be paid that are not allowable. Questioned Costs: N/A Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127, for the year ended June 30, 2023. Total payroll charged to the grant at the Authority was $2,221,140. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that the Authority implement controls to ensure that expenditures are properly reviewed and approved before being charged to a federal award. Views of Responsible Officials: Management acknowledges the finding. See corrective action plan.
2023–057 ACTIVITIES ALLOWED OR UNALLOWED AND ALLOWABLE COSTS/COST PRINCIPLES
Federal Program Information: Federal Agency and Program Name Assistance Listing # U.S. Department of Homeland Security Disaster Grants – Public Assistance (Presidentially Declared Disasters) 97.036/COVID-19 97.036, Grant Award FEMA–4273-DR–WV, Grant Award FEMA–4331-DR–WV, Grant Award FEMA–4359-DR–WV, Grant Award FEMA–4378-DR–WV, Grant Award FEMA–4455-DR–WV, Grant Award FEMA–4517-DR–WV, Grant Award FEMA–4603-DR–WV, Grant Award FEMA–4605-DR–WV Criteria or specific requirement (including statutory, regulatory or other citation): 2 CFR 200.303 requires that the West Virginia Division of Emergency Management (DEM) must “(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the comptroller General of the United States and the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR 200.403 requires that costs “be necessary and reasonable for the performance of the Federal award.” Costs should not consist of improper payments, including payments that were made to an ineligible party or for an ineligible good or service or payments for goods or services not received. Condition: The West Virginia Department of Health and Human Resources (DHHR) paid invoices to a third party vendor that were approved for payment without verifying the invoices for accuracy. Cause: DHHR does not have proper internal controls in place to ensure that invoices are verified for accuracy prior to payment. Effect or Potential Effect: Unallowable expenditures may have been paid with federal funds. Questioned Costs: $3,464,213 Context: Total federal expenditures for the Disaster Grants – Public Assistance (Presidentially Declared Disasters) program were $123,949,127 for the year ended June 30, 2023. Identification as a Repeat Finding: This is not a repeat finding from the prior year. Recommendation: We recommend that DHHR implement proper internal controls to ensure that all invoices are accurate. and costs are allowable under the federal program. Views of Responsible Officials: Management concurs with the finding and has developed a plan to correct the finding.