Audit 296143

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 –¬ 008: ALN 10.558 – Child and Adult Care Food Program A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Education Monitoring of Child and Adult Care Food Program Subrecipients Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Education (PDE), Division of Food and Nutrition, Bureau of Budget and Fiscal Management, administers the operations of the Child and Adult Care Food Program (CACFP). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $117.9 million or approximately 99 percent of total federal program expenditures of $119 million. As part of our testing of subrecipient monitoring, we selected 40 subrecipients to test PDE’s monitoring procedures. PDE performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. The United States Department of Agriculture waived the CACFP monitoring requirement included in 7 CFR Section 226.6 (m) (6) to be conducted on-site through June 30, 2023. However, state agencies that elected to use the waiver were still required to continue monitoring activities of program operations off-site. Independent centers and sponsoring organizations (subrecipients) of one to 100 facilities must be reviewed once every three years, and sponsoring organizations with more than 100 facilities must be reviewed once every two years. PDE uses standardized monitoring reports to document its review of each subrecipient, noting deficiencies and areas for improvement. PDE communicates any deficiencies noted and recommendations to the subrecipient and requires the subrecipient to submit corrective action documents (CAD) to PDE. PDE then reviews and evaluates responses submitted on the CAD for adequacy. 7 CFR Section 226.6 (o) requires PDE to ensure the corrective actions are approved within a time period specified by PDE. Applicable to the current audit period, PDE’s internal procedures in Standard Operating Procedure (SOP) #FS-RS-CACFP-05, state that the review must be closed within 180 days of the exit date. To close an administrative review, PDE must either approve the subrecipient’s response to the CAD or issue a notice of serious deficiency to the subrecipient if acceptable responses to the CAD are not received. PDE’s responsibility for financial management requires it to have a system in place for monitoring and reviewing subrecipients’ documentation of their nonprofit status. The resource management section of PDE’s monitoring instrument contains steps to ensure the subrecipients have a nonprofit status. We sampled 40 of PDE’s reviews of subrecipients out of a population of 317 reviews scheduled during program year October 2021 to September 2022. We audited this period because PDE tracks their subrecipient monitoring based on a federal fiscal year basis. We noted the following deficiencies in our monitoring testing: • For three reviews that were closed by PDE for the program year and had a final determination letter issued, PDE did not close the reviews within the required 180 days. These reviews did not include any complex findings that would have required more time to close. The number of days these reviews were closed beyond 180 days ranged from 28 to 33 days with an average of 30 days. • For one review completed by PDE for the program year, PDE identified a deficiency, that the sponsor did not maintain a nonprofit status as required; however, the reviewer did not write or issue a CAD to the sponsor. Also, it did not appear that the regional supervisor identified it while processing the review. Finding 2023 ¬– 008: (continued) Criteria: 7 CFR Section 226.6 (o) regarding child care standards for compliance states: The State agency shall, when conducting administrative reviews of child care centers, and day care homes approved by the State agency under paragraph (d)(3) of this section, determine compliance with the child care standards used to establish eligibility, and the institution shall ensure that all violations are corrected and the State shall ensure that the institution has corrected all violations. If violations are not corrected within the specified timeframe for corrective action, the State agency must issue a notice of serious deficiency… PDE’s CACFP procedures regarding the performance of CACFP reviews of subrecipients, as specified in SOP #FS-RS-CACFP-05, state only that the “Review must be closed by 180 days after exit date.” This 180 days includes the issuance of any necessary findings and follow-up on CADs. 7 CFR Section 226.7 (b) (1) (iii) regarding state agency responsibilities for financial management states: State agencies must also have a system in place for: Monitoring and reviewing the institutions' documentation of their nonprofit status to ensure that all Program reimbursement funds are used solely for the conduct of the food service operation or to improve food service operations, principally for the benefit of children or adult participants. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE management does not believe that the agency has a regulatory requirement to specify a time period for closing a review. 7 CFR Section 226 (o) indicates that the state shall ensure the institution has corrected all violations within the specified timeframe. PDE’s procedures in SOP #FS-RS-CACFP-05 states that an administrative review must close within 180 days after exit date, which requires PDE to either approve the subrecipient’s CAD or issue a notice of serious deficiency, if necessary. However, PDE believes the 180-day requirement is an internal policy and allows for exceptions. PDE management further stated that the delays were due to staffing changes and shortages and failure to issue a CAD for sponsor noncompliance was due to reviewer oversight. Effect: When findings and CADs are not reviewed, approved, and closed by PDE timely, subrecipients may continue to operate in noncompliance with program regulations. Permitting subrecipients to operate in violation of program requirements for extended periods of time increases the likelihood that funds may not be spent for intended purposes or in accordance with program requirements. Furthermore, untimely closure of findings and CADs by PDE increases the likelihood that individuals served by the program are not receiving the benefits that are paid for with CACFP funds. PDE’s failure to ensure sponsors are operating in a nonprofit status can result in subrecipients operating in noncompliance with program regulations where program reimbursement funds may be used for non-food service operations. Recommendation: We recommend that PDE management increase its review and oversight efforts. PDE should implement procedures necessary to ensure subrecipients are timely monitored, and monitoring findings and CADs are prepared, presented, and timely followed up on in accordance with CACFP program regulations. Agency Response: PDE disagrees with the portion of the finding as it pertains to timeliness of closing review and agrees with the portion of the finding that pertains to a sponsor who was not provided a CAD in response to an identified deficiency. Finding 2023 –¬ 008: (continued) Auditors’ Conclusion: As stated in the criteria above, we believe 7 CFR Section 226.6 (o) clearly states that the state agency must establish a specified timeframe for ensuring subrecipient corrective action has taken place. PDE’s SOP #FS-RS-CACFP-05 states the period is 180 days to close a review. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 –¬ 008: ALN 10.558 – Child and Adult Care Food Program A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Education Monitoring of Child and Adult Care Food Program Subrecipients Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Education (PDE), Division of Food and Nutrition, Bureau of Budget and Fiscal Management, administers the operations of the Child and Adult Care Food Program (CACFP). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $117.9 million or approximately 99 percent of total federal program expenditures of $119 million. As part of our testing of subrecipient monitoring, we selected 40 subrecipients to test PDE’s monitoring procedures. PDE performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. The United States Department of Agriculture waived the CACFP monitoring requirement included in 7 CFR Section 226.6 (m) (6) to be conducted on-site through June 30, 2023. However, state agencies that elected to use the waiver were still required to continue monitoring activities of program operations off-site. Independent centers and sponsoring organizations (subrecipients) of one to 100 facilities must be reviewed once every three years, and sponsoring organizations with more than 100 facilities must be reviewed once every two years. PDE uses standardized monitoring reports to document its review of each subrecipient, noting deficiencies and areas for improvement. PDE communicates any deficiencies noted and recommendations to the subrecipient and requires the subrecipient to submit corrective action documents (CAD) to PDE. PDE then reviews and evaluates responses submitted on the CAD for adequacy. 7 CFR Section 226.6 (o) requires PDE to ensure the corrective actions are approved within a time period specified by PDE. Applicable to the current audit period, PDE’s internal procedures in Standard Operating Procedure (SOP) #FS-RS-CACFP-05, state that the review must be closed within 180 days of the exit date. To close an administrative review, PDE must either approve the subrecipient’s response to the CAD or issue a notice of serious deficiency to the subrecipient if acceptable responses to the CAD are not received. PDE’s responsibility for financial management requires it to have a system in place for monitoring and reviewing subrecipients’ documentation of their nonprofit status. The resource management section of PDE’s monitoring instrument contains steps to ensure the subrecipients have a nonprofit status. We sampled 40 of PDE’s reviews of subrecipients out of a population of 317 reviews scheduled during program year October 2021 to September 2022. We audited this period because PDE tracks their subrecipient monitoring based on a federal fiscal year basis. We noted the following deficiencies in our monitoring testing: • For three reviews that were closed by PDE for the program year and had a final determination letter issued, PDE did not close the reviews within the required 180 days. These reviews did not include any complex findings that would have required more time to close. The number of days these reviews were closed beyond 180 days ranged from 28 to 33 days with an average of 30 days. • For one review completed by PDE for the program year, PDE identified a deficiency, that the sponsor did not maintain a nonprofit status as required; however, the reviewer did not write or issue a CAD to the sponsor. Also, it did not appear that the regional supervisor identified it while processing the review. Finding 2023 ¬– 008: (continued) Criteria: 7 CFR Section 226.6 (o) regarding child care standards for compliance states: The State agency shall, when conducting administrative reviews of child care centers, and day care homes approved by the State agency under paragraph (d)(3) of this section, determine compliance with the child care standards used to establish eligibility, and the institution shall ensure that all violations are corrected and the State shall ensure that the institution has corrected all violations. If violations are not corrected within the specified timeframe for corrective action, the State agency must issue a notice of serious deficiency… PDE’s CACFP procedures regarding the performance of CACFP reviews of subrecipients, as specified in SOP #FS-RS-CACFP-05, state only that the “Review must be closed by 180 days after exit date.” This 180 days includes the issuance of any necessary findings and follow-up on CADs. 7 CFR Section 226.7 (b) (1) (iii) regarding state agency responsibilities for financial management states: State agencies must also have a system in place for: Monitoring and reviewing the institutions' documentation of their nonprofit status to ensure that all Program reimbursement funds are used solely for the conduct of the food service operation or to improve food service operations, principally for the benefit of children or adult participants. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE management does not believe that the agency has a regulatory requirement to specify a time period for closing a review. 7 CFR Section 226 (o) indicates that the state shall ensure the institution has corrected all violations within the specified timeframe. PDE’s procedures in SOP #FS-RS-CACFP-05 states that an administrative review must close within 180 days after exit date, which requires PDE to either approve the subrecipient’s CAD or issue a notice of serious deficiency, if necessary. However, PDE believes the 180-day requirement is an internal policy and allows for exceptions. PDE management further stated that the delays were due to staffing changes and shortages and failure to issue a CAD for sponsor noncompliance was due to reviewer oversight. Effect: When findings and CADs are not reviewed, approved, and closed by PDE timely, subrecipients may continue to operate in noncompliance with program regulations. Permitting subrecipients to operate in violation of program requirements for extended periods of time increases the likelihood that funds may not be spent for intended purposes or in accordance with program requirements. Furthermore, untimely closure of findings and CADs by PDE increases the likelihood that individuals served by the program are not receiving the benefits that are paid for with CACFP funds. PDE’s failure to ensure sponsors are operating in a nonprofit status can result in subrecipients operating in noncompliance with program regulations where program reimbursement funds may be used for non-food service operations. Recommendation: We recommend that PDE management increase its review and oversight efforts. PDE should implement procedures necessary to ensure subrecipients are timely monitored, and monitoring findings and CADs are prepared, presented, and timely followed up on in accordance with CACFP program regulations. Agency Response: PDE disagrees with the portion of the finding as it pertains to timeliness of closing review and agrees with the portion of the finding that pertains to a sponsor who was not provided a CAD in response to an identified deficiency. Finding 2023 –¬ 008: (continued) Auditors’ Conclusion: As stated in the criteria above, we believe 7 CFR Section 226.6 (o) clearly states that the state agency must establish a specified timeframe for ensuring subrecipient corrective action has taken place. PDE’s SOP #FS-RS-CACFP-05 states the period is 180 days to close a review. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Environmental Protection Finding 2023 –¬ 010: ALN 15.252 – Abandoned Mine Land Reclamation A Material Weakness and Material Noncompliance Exist at the Department of Environmental Protection Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2022-005) Federal Grant Number(s) and Year(s): S22AF00017 (1/01/2022 – 12/31/2024), S21AF10015 (1/01/2021 – 12/31/2023), S20AF20092 (10/01/2020 – 9/30/2023), S20AF20006 (1/01/2020 –¬ 12/31/2022), S19AF20004 (12/01/2018 – 11/30/2023), S18AF20004 (11/01/2017 – 10/31/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Department of Environmental Protection (DEP) administers the Abandoned Mine Land Reclamation (AMLR) program funded by the United States Department of the Interior (DOI). During the fiscal year ended June 30, 2023, DEP expended $60,055,889 within the AMLR program, of which $6,478,271 was paid to 16 subrecipient entities to provide abandoned mine land reclamation repairs and services throughout Pennsylvania. Up until the fiscal year ended June 30, 2022 timeframe, DEP considered these entities to be contractors and not subrecipients. However, once the entities were determined to be subrecipients, DEP began implementing procedures to ensure federal monitoring requirements were met to include on-site monitoring of subrecipient projects with signed Grant Manager monitoring report forms evidencing visit results. DEP also implemented subrecipient requirements of minimum quarterly Work Progress Reports and annual subrecipient Financial and Performance Reports. Our testing found these procedures were not implemented fully nor timely to ensure compliance throughout the fiscal year ended June 30, 2023. For a sample of six of the sixteen subrecipients, we reviewed relevant project correspondence and documentation to determine if DEP adequately monitored subrecipient projects and documented the results in accordance with procedures. Our testing found three of the six had sufficient documentation of on-site visits evidencing DEP oversight of the projects. However, only one included the subrecipient Work Progress Report and DEP manager signed monitoring report form; both required per DEP procedures. Due to the timing of procedure implementation, no subrecipient Financial and Performance Reports were submitted during the period. One of the six tested had project deficiencies. Sufficient evidence was available to show appropriate DEP follow-up and resolution. While Single Audits of the AMLR subrecipients may be conducted each year, this auditing activity does not compensate for during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: As part of administering the AMLR program, DEP must have policies, procedures, and controls in place to ensure compliance with federal requirements regarding pass-through entity monitoring of subrecipients. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2023 –¬ 010: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 [Management decision]. (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services]. The standard contract agreement between DEP and the local grantee states, in part: Audit/Compliance Review Requirements - The contractor must comply with all applicable federal and state grant requirements including the Single Audit Act Amendments of 1996; 2 CFR Part 200 as amended; and any other applicable law or regulation, and any amendment to such other applicable law or regulation that may be enacted or promulgated by the federal government. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Once the determination was made that the contracts with these entities represented subrecipient agreements, DEP began implementing control procedures to ensure federal requirements were met and adequately documented. However, due to the transition time needed for implementation, we found these procedures were not fully or consistently implemented during the audit period. Effect: Without sufficient subrecipient monitoring, DEP cannot ensure compliance with federal statutes, regulations, and the terms and conditions of the subrecipient agreements. In addition, DEP cannot confirm that subrecipients are performing satisfactory work, ensure the efficient use of program resources, and minimize the risk for fraud and abuse. Completing on-site monitoring activities consistently and as designed is essential for DEP to determine whether the subrecipients are complying with federal regulations and spending grant funds appropriately. Recommendation: We recommend DEP continue to implement their written procedures for performing during-the-award subrecipient monitoring to ensure timely subrecipient compliance with federal regulations. On-site monitoring visits by DEP Grant Managers should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: DEP agrees with the facts presented in this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Environmental Protection Finding 2023 –¬ 011: ALN 15.252 – Abandoned Mine Land Reclamation A Material Weakness and Material Noncompliance Exist at the Department of Environmental Protection Related to Cash Management of Federal Funds Federal Grant Number(s) and Year(s): S21AF10050 (6/01/2021 – 5/31/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Cash Management Condition: The Department of Environmental Protection (DEP) administers the Abandoned Mine Land Reclamation (AMLR) program funded by the United States Department of the Interior (DOI). During the fiscal year ended June 30, 2023, DEP expended $60,055,889 within the AMLR program, $8,900,470 or 14.8% of which was transferred to the Commonwealth Department of General Services (DGS) on July 6, 2022. DEP signed a Letter of Commitment (LOC) with DGS agreeing to transfer the funds as partial funding of a Capital Budget project for a third-party contractor to construct a new Acid Mine Drainage treatment facility estimated to cost approximately $26 million. Once transferred to DGS, these federal funds were combined with state Capital Budget funds and encumbered until project contractor payments began later in the fiscal year. Our review of transaction dates disclosed that DEP drew down $8,900,470 of AMLR federal funds on July 8, 2022; however, contractor payments did not begin until November 2022. A total of $9.1 million in contract payments were expended by the Commonwealth between November 2022 and June 30, 2023 fiscal year end. Therefore, DEP did not adequately limit the time between the drawdown of federal funds and the Commonwealth’s need for those funds, resulting in noncompliance with federal cash management regulations. Criteria: As part of administering the AMLR program, DEP must have policies, procedures, and controls in place to ensure compliance with federal cash management requirements and regulations. 2 CFR Section 200.305 (a), Federal Payment for pass through entities, states in part: a) For states, payments are governed by Treasury-State Cash Management Improvement Act (CMIA) agreements and default procedures codified at 31 CFR part 205. 31 CFR Section 205.33 (a) states in part: (a) A State must minimize the time between the drawdown of Federal funds from the Federal government and their disbursement for Federal program purposes. A Federal Program Agency must limit a funds transfer to a State to the minimum amounts needed by the State and must time the disbursement to be in accord with the actual, immediate cash requirements of the State in carrying out a Federal assistance program or project. The timing and amount of funds transfers must be as close as is administratively feasible to a State's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs. States should exercise sound cash management in funds transfers to subgrantees… Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Finding 2023 –¬ 011: (continued) Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: DGS has sole oversight of Capital Budget projects, one of which was partially funded by AMLR funds under the LOC between DEP and DGS. To have funds available for timely contract award, it is DGS practice to bill the agency for the entirety of the funds committed, including federal funds in this case, when a LOC is executed. Once transferred from the agency, funds are encumbered and held until project contractor payments are made. DEP did not have procedures in place to minimize the time between the drawdown of federal funds and their disbursement by DGS for project purposes. Effect: DEP did not minimize the time elapsing between the drawdown of $8,900,470 in AMLR funds and the actual need for the funds, resulting in noncompliance with federal cash management regulations. Recommendation: We recommend DEP implement policies and procedures when a LOC is executed for any future Capital Budget projects to minimize the time federal funds are held by the Commonwealth. Agency Response: DEP agrees with the facts presented in this finding. Questioned Costs: None

Office of the Budget – Governor’s Budget Office Finding 2023 –¬ 020: ALN 21.027 – COVID-19 – Coronavirus State and Local Fiscal Recovery Funds A Significant Deficiency and Noncompliance Exist at the Governor’s Budget Office Related to the Quarterly Project and Expenditure Report Federal Grant Number(s) and Year(s): TN75GJE1S7G3 (3/03/2021 – 12/31/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: Two of 4 quarterly Project and Expenditure Reports were selected for testing. The Office of the Budget, Governor’s Budget Office (GBO) reported incomplete capital project information in these quarterly reports. Specifically, the following exceptions were noted: • A project’s description allows capital expenditures by beneficiaries, but GBO has reported it as a non-capital project on both quarterly Project and Expenditure reports. In addition, the Pennsylvania Emergency Management Agency (PEMA) does not require the beneficiaries receiving funding under this project to report their capital expenditures to PEMA. Therefore, GBO is unable to determine the amount of capital expenditures obligated and expended for this project. • A capital project in excess of $10 million was reported as a non-capital project on the March 31, 2023 quarterly report. GBO believes they correctly reported the project as a capital project, but the reporting portal incorrectly recorded their submission. However, GBO was unable to provide documentation that the project was identified as a capital project in their submission to the U.S. Treasury. • On the June 30, 2023 quarterly report, the project was correctly reported as a capital project and the required written justification was included, however, the justification did not include all required elements. Criteria: Per the Compliance and Reporting Guidance issued by the United States Department of the Treasury, recipients must report if a project includes capital expenditures, the type of capital expenditure, and the amount of capital expenditures obligated and expended. Per 31 CFR Section 35.6(b)(4), a recipient, other than a Tribal government, must prepare written justifications for capital projects with capital expenditures enumerated by Treasury in the final rule and with total capital expenditures greater than $10 million. Such written justifications must include the following elements: (i) Describe the harm or need to be addressed; (ii) Explain why a capital expenditure is appropriate; and (iii) Compare the proposed capital expenditure to at least two alternative capital expenditures and demonstrate why the proposed capital expenditure is superior. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Finding 2023 –¬ 020: (continued) Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PEMA issued awards to 666 local Emergency Management Services (EMS) companies and the companies were allowed to expend the funds on a variety of uses, including capital expenditures. PEMA did not obtain detail of capital expenditures incurred from the companies and was therefore unable to provide the information to GBO for inclusion on the Project and Expenditure Reports. The required elements for capital project justifications are summarized on page 4390 of the Final Rule, but they are not mentioned in the Project and Expenditure Report User Guide nor in the Compliance and Reporting Guidance. Therefore, GBO was unaware that it was necessary to include specific elements in the justification. Effect: GBO did not properly identify and report capital projects. Errors included omitting capital project obligations and expenditures and incomplete justifications for a capital project greater than $10 million. Recommendation: We recommend that GBO ensures that all capital projects are properly reported and that justifications for capital projects greater than $10 million include all required elements. We further recommend that PEMA beneficiaries be required to submit expenditure detail to allow GBO to correctly report capital expenditures obligated and expended. Agency Response: GBO agrees with this finding. Limitations in the federal reporting portal, changing federal guidance, and the nature of programs being implemented which may be used for capital expenditures and a myriad of other non-capital uses complicates reporting compliance. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Labor and Industry Office of Administration – Office for Information Technology – Employment, Banking and Revenue Delivery Center Finding 2023 –¬ 017: ALN 84.126 – Rehabilitation Services – Vocational Rehabilitation Grants to States Inappropriate Privileged Access Granted to Program Personnel Federal Grant Number(s) and Year(s): – H126A220056 (10/01/2020 – 9/30/2021), H126A230056 (10/01/2021 – 9/30/2022), H126A230056 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance Compliance Requirement: Other Condition: As part of testing internal controls over the Vocational Rehabilitation Grants to States program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry, Office of Vocational Rehabilitation (OVR) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center. During our testing we noted that an inappropriate application administrator role was assigned to 19 users who did not require the role to perform their job duties. Details of this issue have been provided to OVR and the EBR Delivery Center for corrective action. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). • Green Book Principle 11 – Design Activities for the Information System, states in part: o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error. o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity. Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part, • Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account. A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent. Finding 2023 –¬ 017: (continued) Cause: OVR management requested the privileged role be added to the profiles of the 19 users to allow the users to resolve an access issue. Rather than creating a new role designed to narrowly accommodate the access needs of the users, the existing process followed by an EBR Delivery Center Systems administrator granted an existing privileged role to the users that also gave them the ability to add and delete users from the application as well as assign other powerful roles. Further, OVR’s periodic review of user access performed during the audit period failed to identify the additional permissions granted by the use of the privileged role assignments. The inappropriate role was removed from the users’ profiles after the audit period once the auditors pointed out the issue. Effect: Assigning inappropriate access to users could result in unauthorized changes to the application and data, misuse of the application, or system actions outside management’s intent, which could result in noncompliance with federal laws and regulations. Further, without properly functioning IT general controls, the auditors are precluded from reliance on computer controls in the Rehabilitation Services program. Recommendation: We recommend that OVR management and EBR Delivery Center management work together to: • Update the user access request form to clarify the circumstances under which privileged roles may be assigned to application users; • Provide training to personnel on the Commonwealth policy noted above requiring least privilege; • Consider creating new privileged roles that allow administrators to assign the lowest level of permissions; • Consider creating a process to grant temporary access to administrative roles in special situations; and • Ensure the periodic access reviews of users include an assessment of the appropriateness of role assignments. Agency Response: Department of Labor and Industry – Office of Vocational Rehabilitation and the Office of Administration – Office for Information Technology – Employment, Banking and Revenue Delivery Center agree with the finding. Questioned Costs: None

Department of Labor and Industry Finding 2023 – 018: ALN 84.126 – Rehabilitation Services – Vocational Rehabilitation Grants to States A Significant Deficiency and Noncompliance Exist in the Department of Labor and Industry’s Procedures Related to Period of Performance Requirements Federal Grant Number(s) and Year(s): H126A210056 (10/01/2020 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Period of Performance Condition: During our audit of the Rehabilitation Services – Vocational Rehabilitation Grants to States (RS-VR) program, we tested internal control over and compliance with period of performance requirements for the grant awarded by the United States Department of Education that had a period of performance date ending during the fiscal year ended June 30, 2023 audit period. • Two of 55 expenditures tested that were charged to the federal fiscal year 2021 RS-VR grant that closed during the audit period, were incurred after the allowable period of performance. These expenditures included two rental payments totaling $8,763. Both payments were for November 2022 rental charges but were charged to the grant which had a period end date of September 30, 2022. Expenditures posted in the last month of the allowable period of performance and after (including the two rental payments) totaled $36,651,862. Management was unable to provide authorization from the federal awarding agency for allowance of the expenditures occurring outside of the period of performance. Criteria: 2 CFR Section 200.303(a), Internal controls, states: The non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR Section 200.309, Period of performance, states: A non-Federal entity may charge to the Federal award only allowable costs incurred during the period of performance (except as described in §200.461 Publication and printing costs) and any costs incurred before the Federal awarding agency or pass-through entity made the award that were authorized by the Federal awarding agency or pass-through entity. Management Directive 325.12, Amended, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 – 018: (continued) Cause: Office of Vocational Rehabilitation (OVR), Pennsylvania Department of Labor and Industry personnel did not check service dates prior to submitting invoices for payment which were charged to the federal fiscal year 2021 grant. OVR personnel did not have adequate procedures in place to ensure that only costs incurred during the allowable period of performance were charged to the grant. Effect: Expenditures outside of the allowable period of performance were incorrectly charged to the grant without authorization by the federal awarding agency, resulting in noncompliance and questioned costs. Recommendation: We recommend that OVR personnel implement procedures to ensure that costs and adjustments being charged to a federal grant are incurred within the allowable period of performance of the grant to which they are being charged, or when necessary, obtain authorization from the federal awarding agency prior to charging costs that are outside the allowable period of performance. Agency Response: OVR agrees with this finding. Questioned Costs: Known questioned costs of $8,763 were determined, which represents the amount of transactions incurred and charged to the federal grant outside the allowable period of performance.

Department of Labor and Industry Office of the Budget – Office of Comptroller Operations Finding 2023 – 019: ALN 84.126 – Rehabilitation Services – Vocational Rehabilitation Grants to States A Significant Deficiency and Noncompliance Exist Related to the Preparation and Submission of the Quarterly RSA-17 Report Federal Grant Number(s) and Year(s): H126A230056 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Office of Vocational Rehabilitation (OVR), Pennsylvania Department of Labor and Industry, is required to submit an RSA-17, Vocational Rehabilitation Financial Report, for the Rehabilitation Services – Vocational Rehabilitation Grants to States (RS-VR) program to the United States Department of Education (USDE) on a quarterly basis. The RSA-17 report includes data related to the federal share of expenditures to date, the federal share of unliquidated obligations, the federal program income earned, the program income expended and unexpended, indirect charges to the grant, as well as other general information that is necessary to ensure compliance with program requirements. During the fiscal year ended June 30, 2023, we selected all RSA-17 reports submitted for two of the four quarters and the final report submitted for the grant that closed during the audit period for testing. As part of the report testing, we obtained supporting general ledger documentation to determine if the agency appropriately reported the data in the Rehabilitation Services Administration (RSA) system where the RSA-17 reports are submitted. Our testing disclosed that the Business Enterprise Program expenditures reported on the June 30, 2023 filing for Federal Grant H126A230056 were not correctly input into the RSA system. The amount reported was $26,409,010, when actual expenditures were $264,090 based on supporting documentation. Although the RSA-17 report was subjected to a documented supervisory review and approval, the incorrect reported amount remained undetected by Commonwealth management until notification by the auditor. Criteria: 2 CFR Section 200.303(a), Internal controls, states: The non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the committee of the Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR Section 361.40, Reports; Evaluation standards and performance indicators, states: (a) Reports. (1) The vocational rehabilitation services portion of the Unified or Combined State Plan must assure that the designated State agency will submit reports, including reports required under sections 13, 14, and 101(a)(10) of the Act – (i) In the form and level of detail and at the time required by the Secretary regarding applicants for and eligible individuals receiving services, including students receiving pre-employment transition services in accordance with section 361.48(a); and Finding 2023 – 019: (continued) (ii) In a manner that provides a complete count (other than the information obtained through sampling consistent with section 101(a)(10)(E) of the Act) of the applicants and eligible individuals to – (A) Permit the greatest possible cross-classification of data; and (B) Protect the confidentiality of the identity of each individual. (2) The designated State agency must comply with any requirements necessary to ensure the accuracy and verification of those reports. Management Directive 325.12, Amended, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Bureau of Accounting and Financial Management personnel did not review the data input into the RSA system for errors prior to submission of the report. OVR did not have adequate procedures in place to ensure accurate report submissions as prepared by Bureau of Accounting and Financial Management. Effect: Since the report preparation and the supervisory review and approval process were not adequate, the Business Enterprise Program expenditures were incorrectly reported on the RSA-17 report submitted to USDE. OVR was not in compliance with federal regulations. Recommendation: OVR should ensure their written procedures for the review, approval, and submission of the RSA-17 reports are improved and fully implemented. The procedures should have sufficient detail to ensure the RSA-17 reports are prepared accurately and in accordance with federal regulations. In addition, OVR should correct the error and submit a revised RSA-17 report to USDE. OVR Response: OVR agrees with this finding. OCO Response: OCO agrees with this finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 – 009: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist in the Review and Approval of Subrecipient Education Leading to Employment and Career Training Expenditure Reports by the Pennsylvania Department of Education Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Condition: The Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Education (PDE) have worked collaboratively to assist expectant and parenting youth through an initiative called Education Leading to Employment and Career Training (ELECT). ELECT works with expectant and parenting youth who qualify for assistance through Temporary Assistance for Needy Families (TANF), or are otherwise income-eligible, to support their continuation of or return to school to complete their secondary education. ELECT programs are operated by Local Education Agencies (LEA) that consist of school districts and Intermediate Units (IU). During the fiscal year ended June 30, 2023, PDE passed funding through to 27 LEAs for the operation of ELECT programs. TANF ELECT program payments made by PDE to its 27 subrecipients during the fiscal year ended June 30, 2023 were $14.1 million, or 3.1 percent of total TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. As part of our testing of subrecipient expenditures, we selected three subrecipient expenditure reports to test PDE’s procedures for processing subgrantee requests for reimbursement. Our testing found that for one of the three ELECT Expenditure Reports selected for testing, the expenditure report was not certified by an authorized subgrantee official. Criteria: 2 CFR Section 200.415, Required certifications, states: Required certifications include: (a) To assure that expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets, the annual and final fiscal reports or vouchers requesting payment under the agreements must include a certification, signed by an official who is authorized to legally bind the non-Federal entity, which reads as follows: “By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812).” Finding 2023 – 009: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR Section 75.352, applicable to TANF states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. PDE’s Education Leading to Employment and Career Training (ELECT) Operational Guidelines states in part: Authorized Signature: An authorized signature is required on expenditure reports for grants with federal funds. The authorized signatory is taking responsibility for the federal funds; make sure that someone of authority is signing the report. It will not be processed without the signature. Cause: Although PDE requires subrecipients to utilize an ELECT Expenditure Report template that includes a box for an authorized subgrantee signatory to sign which states: By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812). PDE’s review did not detect that the expenditure report was not certified by an authorized subgrantee official. PDE did not follow their written operational guidelines which state that PDE should ensure that someone of authority is signing the report and that the expenditure report will not be processed without the signature. PDE management indicated that they monitor subrecipients and request backup documentation for expenditures listed in the requests for reimbursement; however, without subrecipient certifications only limited assurance of the allowability of the activities and costs for which the subrecipient was requesting reimbursement can be obtained. Finding 2023 – 009: (continued) Effect: Without appropriate certifications, PDE cannot be assured that subrecipient expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets. Further, the subrecipient noted in the condition above may have received unallowable cost reimbursements from the TANF program. PDE is not in compliance with federal regulations relating to required certifications, and a significant deficiency exists. If not corrected, the processing of expenditure reports without certifications could result in the reimbursement of unallowable costs and result in future grant awards being reduced. Recommendation: PDE should strengthen its procedures and controls to ensure that required certifications are obtained prior to passing funding through to subrecipients. Further, PDE should request that subgrantees resubmit any expenditure reports from which the required certifications were missing. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 013: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist Over the Preparation and Submission of the ACF-204 and ACF-196P Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to file the ACF-204, Annual Report including the Annual Report on State Maintenance-of-Effort Programs (ACF-204 Report) each federal fiscal year with the United States Department of Health and Human Services, Administration for Children and Families (ACF). The ACF-204 Report contains information on the Temporary Assistance for Needy Families (TANF) program and the State's Maintenance-of-Effort (MOE) programs for that year. DHS is also required to file the ACF-196R, State TANF Financial Report (ACF-196R Report) quarterly with ACF, 45 days after each quarter of the fiscal year. The quarterly ACF-196R Reports reflect expenditures cumulative through that quarter for the federal fiscal year for each open grant award and includes MOE expenditures. The sum of the MOE expenditure amounts claimed on the annual ACF-204 Report should equal the total MOE expenditure amounts claimed on the state’s 4th quarter ACF-196R Report. However, when we reviewed the ACF-204 Report and the 196R-Report filed for September 30, 2022 the reported MOE expenditures did not agree. We determined the ACF-204 Report was inaccurate because edits were made to the ACF-196R Report after submission to ACF and the edits were not updated on the ACF-204 Report. The ACF-204 Report is prepared by DHS program personnel and the ACF-196R Report is prepared by the Office of Comptroller’s Operations (OCO). The ACF-196R Report originally submitted in November 2022 had been revised and resubmitted in March 2023. We noted the following differences between the total state MOE expenditure amounts reported on the two reports: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE The MOE expenditure amounts reported on the original ACF-204 Report were overstated by a total of $3,980,250. Although the ACF-196R Report had been revised in March 2023, there was no subsequent revision to the ACF-204 Report to correct the MOE line items. After our 2023 audit inquiry, DHS program personnel subsequently revised and resubmitted the report to ACF in September 2023 with the correct MOE expenditure amounts. Finding 2023 –¬ 013: (continued) In addition, our procedures disclosed that the ACF-196P Report (TANF Pandemic Emergency Assistance Fund Report) was submitted late. The ACF-196P Report was due December 29, 2022, but was not submitted until January 6, 2023. Criteria: 45 CFR Section 265.9 (a) states: Each State must file an annual report containing information on the TANF program and the State’s MOE programs for that year. TANF-ACF-PI-2001-06, Clarification on Completing the Annual Reports on TANF Programs (Attachment A) and State Maintenance-of-Effort (MOE) Programs (Form ACF-204) (Attachment B) issued by ACF, recommends that State program and fiscal staff coordinate their efforts to complete the ACF-204 information. The sum of the MOE amounts claimed in this report should equal the total MOE amounts claimed under all programs on the State's 4th quarter financial reporting form ACF-196 Report. Management Directive 325.12, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risks. Management should externally communicate the necessary quality information to achieve the entity’s objectives. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Pursuant to section 403(c) of the Social Security Act, states must use the ACF-196P form to report TANF PEAF (Pandemic Emergency Assistance Fund) expenditure data. TANF-ACF-PI-2021-08, Program Instructions for the Completion of the TANF Financial Form ACF-196P for the Pandemic Emergency Assistance Fund, states that each grantee must submit completed ACF-196P forms to ACF within 90 days of the end of each federal fiscal year, that is, the quarter ending (QE) September 30. Reports for the PEAF awards for QE September 30, 2022 were due December 29, 2022. Cause: The ACF-204 Report overstatement was discovered as a result of auditor inquiry. Although OCO personnel communicated that a revised ACF196R Report was filed, program personnel did not recognize the need to revise the ACF-204 Report. Regarding the untimely filing of the ACF-196P Report, DHS asked OCO to request an extension as DHS was waiting for guidance from ACF to finalize accounting and close out the grant. The grant must be closed before OCO can prepare and file the final report. However, ACF did not grant the extension. Effect: Inaccuracies on the ACF-204 Report, could lead to the federal government’s inability to determine if the Commonwealth met its MOE requirements for the fiscal year. Furthermore, inaccurate reporting on the ACF-204 Report and untimely reporting of the ACF-196P Report could subject the Commonwealth to penalties. Recommendation: We recommend that program personnel coordinate with OCO personnel to ensure the MOE amounts reported in the ACF-204 Report are correct and equal the form ACF-196R amounts, the ACF-196P is submitted timely, and that federal reports are in compliance with federal requirements. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 ¬– 014: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2022-008) Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2023, the Department of Human Services (DHS) paid $82.4 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 18.1 percent) out of total federal TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. Our testing of DHS’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2023 disclosed that DHS performed on-site monitoring for 13 out of 14 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients’ TANF activities were documented and accurately entered in the Commonwealth’s Workforce Development System. However, DHS’s monitoring procedures for the 13 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient’s compliance with applicable federal regulations. Although DHS’s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS’s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS’s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients’ procedures to monitor Single Audits and any related findings. Our testing of the 14 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2023. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $1 million of TANF funds during the fiscal year ended June 30, 2023. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2023 –¬ 014: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services]. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS provided new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2023. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients’ monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they worked to obtain the necessary documentation to complete the on-site monitoring. However, the subrecipient had not cooperated. The grant agreement with the subrecipient expired on December 31, 2023 and the subrecipient has stopped all contact with DHS. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 021: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist Over the Preparation and Submission of the Quarterly ACF-196R Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to submit the ACF-196R, State TANF Financial Report (ACF-196R Report), on a quarterly basis, for each grant year, to the United States Department of Health and Human Services (HHS) Administration for Children and Families (ACF). The ACF-196R Report includes data related to the cumulative transfers, expenditures, and unliquidated obligations through the end of the federal fiscal year. A state must submit a quarterly ACF-196R Report for each open grant year award. During the fiscal year ended June 30, 2023, we selected 10 out of 20 quarterly ACF-196R Reports for testing. The ACF-196R Reports submitted for the quarters ended September 30, 2022 and June 30, 2023 for grant award years 2020 and 2023, respectively, included federal unliquidated obligation amounts reported on Part 1 Expenditure Data, Line 27, which did not agree to the Commonwealth’s general ledger (SAP) as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE We also analytically compared expenditures incurred during the fiscal year ended June 30, 2023 per the ACF-196R Reports to total Temporary Assistance for Needy Families (TANF) expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA) noting a difference of $53,256,607. We requested that management provide a listing of reconciling items between the ACF-196R Reports and the SEFA which resulted in the identification of an understatement of aggregate expenditures reported in the ACF-196R Reports for the report quarter ending June 30, 2023 of $45,603,714. Although the ACF-196R Reports were subjected to a documented supervisory review and approval, the existence of the misstated federal unliquidated obligation and expenditure amounts indicates that the preparation and the supervisory review and approval processes were not adequate, and a material weakness exists over the preparation and submission of the ACF-196R Report. Finding 2023 – ¬021: (continued) Criteria: 45 CFR Section 75.302, Financial management and standards for financial management system, states: (b) The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §75.341 and §75.342. 45 CFR Section 265.3, What reports must the State file on a quarterly basis?, states: (a) Quarterly reports. (1) Each State must collect on a monthly basis, and file on a quarterly basis, the data specified in the TANF Data Report and the TANF Financial Report (c) The TANF Financial Report. (1) Each State must file quarterly expenditure data on the State’s use of Federal TANF funds, State TANF expenditures, and State expenditures of MOE funds in separate State programs. (2) If a State is expending Federal TANF funds received in prior fiscal years, it must file a separate quarterly TANF Financial Report for each fiscal year that provides information on the expenditures of that year’s TANF funds. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (b) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Further, adequate internal controls over report preparation would include detailed written report preparation procedures, a segregation of duties between the preparation and the review and approval of the report, and an adequate review and approval process which would detect errors in the report preparation and ensure that such errors are corrected. Finding 2023 –¬ 021: (continued) Cause: The Commonwealth’s Office of Comptroller Operations (OCO) personnel indicated that three internal orders were set up with incorrect order group attribute codes. These errors resulted in expenditures of $45,603,714 being improperly excluded from the order group reports that were used during the compilation of the expenditure data reported in the ACF-196R Reports for the quarter ending June 30, 2023. The $9,306,287 overstatement and $231,623 understatement noted above were the result of formula errors within OCO’s workbooks used to compile the reports that were not identified prior to the submission of the corresponding reports. OCO personnel stated there is a supervisory review and approval process in place but staff turnover and additional grant responsibilities has created internal time constraints for reporting which inherently has increased the potential risk of errors not being identified during the supervisory review. Effect: Since the preparation and the supervisory review and approval processes were not adequate to ensure the accuracy of expenditures and federal unliquidated obligations, various ACF-196R Reports were misstated for the quarters ended June 30, 2023 and September 30, 2022. DHS is not in compliance with federal regulations, and a material weakness exists. If not corrected, inaccurate reporting could result in future grant awards being reduced. Recommendation: OCO should ensure that the preparation and supervisory review and approval processes for the ACF-196R Report are improved and include all required information including cumulative transfers, expenditures, and unliquidated obligations. OCO should ensure their written procedures for the preparation, review, approval, and submission of the ACF-196R Report are sufficiently detailed to ensure the ACF-196R Report is prepared accurately in accordance with federal regulations. Finally, OCO should ensure the misstated ACF-196R expenditure amounts are corrected and the revised information is submitted to ACF, in accordance with ACF guidelines. OCO Response: OCO agrees with this finding. Questioned Costs: None

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 022: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist in the Commonwealth’s FFATA Reporting Process (A Similar Condition Was Noted in Prior Year Finding 2022-012) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 – 9/30/2022), H79T1083297 (9/30/2020 – 9/29/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $112.9 million from thirteen major programs disclosed that two transactions totaling approximately $11.9 million, or 11 percent of transactions tested, were not reported to FSRS. Specifically, the two transactions for which the FFATA information was not reported occurred within two of the 13 programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2023 –¬ 022: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 022: (continued) Cause: Regarding the two transactions identified during our testing that were not reported in the FFATA database, OB-BAFM personnel indicated the awards were overlooked during the FFATA review. As a result of our inquiry, OB-BAFM Personnel indicated that these awards were subsequently uploaded to the FFATA database and FSRS as required. Effect: Since the subaward information for two transactions tested were not included in the FFATA database, the required subaward information was not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements in FSRS may recur in future periods if control deficiencies are not corrected to ensure completeness of the FFATA database. Recommendation: We recommend that OB-BAFM follow their established procedures to ensure all subrecipient contract information is included in the FFATA database to ensure that FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 – 009: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist in the Review and Approval of Subrecipient Education Leading to Employment and Career Training Expenditure Reports by the Pennsylvania Department of Education Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Condition: The Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Education (PDE) have worked collaboratively to assist expectant and parenting youth through an initiative called Education Leading to Employment and Career Training (ELECT). ELECT works with expectant and parenting youth who qualify for assistance through Temporary Assistance for Needy Families (TANF), or are otherwise income-eligible, to support their continuation of or return to school to complete their secondary education. ELECT programs are operated by Local Education Agencies (LEA) that consist of school districts and Intermediate Units (IU). During the fiscal year ended June 30, 2023, PDE passed funding through to 27 LEAs for the operation of ELECT programs. TANF ELECT program payments made by PDE to its 27 subrecipients during the fiscal year ended June 30, 2023 were $14.1 million, or 3.1 percent of total TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. As part of our testing of subrecipient expenditures, we selected three subrecipient expenditure reports to test PDE’s procedures for processing subgrantee requests for reimbursement. Our testing found that for one of the three ELECT Expenditure Reports selected for testing, the expenditure report was not certified by an authorized subgrantee official. Criteria: 2 CFR Section 200.415, Required certifications, states: Required certifications include: (a) To assure that expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets, the annual and final fiscal reports or vouchers requesting payment under the agreements must include a certification, signed by an official who is authorized to legally bind the non-Federal entity, which reads as follows: “By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812).” Finding 2023 – 009: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR Section 75.352, applicable to TANF states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. PDE’s Education Leading to Employment and Career Training (ELECT) Operational Guidelines states in part: Authorized Signature: An authorized signature is required on expenditure reports for grants with federal funds. The authorized signatory is taking responsibility for the federal funds; make sure that someone of authority is signing the report. It will not be processed without the signature. Cause: Although PDE requires subrecipients to utilize an ELECT Expenditure Report template that includes a box for an authorized subgrantee signatory to sign which states: By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812). PDE’s review did not detect that the expenditure report was not certified by an authorized subgrantee official. PDE did not follow their written operational guidelines which state that PDE should ensure that someone of authority is signing the report and that the expenditure report will not be processed without the signature. PDE management indicated that they monitor subrecipients and request backup documentation for expenditures listed in the requests for reimbursement; however, without subrecipient certifications only limited assurance of the allowability of the activities and costs for which the subrecipient was requesting reimbursement can be obtained. Finding 2023 – 009: (continued) Effect: Without appropriate certifications, PDE cannot be assured that subrecipient expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets. Further, the subrecipient noted in the condition above may have received unallowable cost reimbursements from the TANF program. PDE is not in compliance with federal regulations relating to required certifications, and a significant deficiency exists. If not corrected, the processing of expenditure reports without certifications could result in the reimbursement of unallowable costs and result in future grant awards being reduced. Recommendation: PDE should strengthen its procedures and controls to ensure that required certifications are obtained prior to passing funding through to subrecipients. Further, PDE should request that subgrantees resubmit any expenditure reports from which the required certifications were missing. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 013: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist Over the Preparation and Submission of the ACF-204 and ACF-196P Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to file the ACF-204, Annual Report including the Annual Report on State Maintenance-of-Effort Programs (ACF-204 Report) each federal fiscal year with the United States Department of Health and Human Services, Administration for Children and Families (ACF). The ACF-204 Report contains information on the Temporary Assistance for Needy Families (TANF) program and the State's Maintenance-of-Effort (MOE) programs for that year. DHS is also required to file the ACF-196R, State TANF Financial Report (ACF-196R Report) quarterly with ACF, 45 days after each quarter of the fiscal year. The quarterly ACF-196R Reports reflect expenditures cumulative through that quarter for the federal fiscal year for each open grant award and includes MOE expenditures. The sum of the MOE expenditure amounts claimed on the annual ACF-204 Report should equal the total MOE expenditure amounts claimed on the state’s 4th quarter ACF-196R Report. However, when we reviewed the ACF-204 Report and the 196R-Report filed for September 30, 2022 the reported MOE expenditures did not agree. We determined the ACF-204 Report was inaccurate because edits were made to the ACF-196R Report after submission to ACF and the edits were not updated on the ACF-204 Report. The ACF-204 Report is prepared by DHS program personnel and the ACF-196R Report is prepared by the Office of Comptroller’s Operations (OCO). The ACF-196R Report originally submitted in November 2022 had been revised and resubmitted in March 2023. We noted the following differences between the total state MOE expenditure amounts reported on the two reports: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE The MOE expenditure amounts reported on the original ACF-204 Report were overstated by a total of $3,980,250. Although the ACF-196R Report had been revised in March 2023, there was no subsequent revision to the ACF-204 Report to correct the MOE line items. After our 2023 audit inquiry, DHS program personnel subsequently revised and resubmitted the report to ACF in September 2023 with the correct MOE expenditure amounts. Finding 2023 –¬ 013: (continued) In addition, our procedures disclosed that the ACF-196P Report (TANF Pandemic Emergency Assistance Fund Report) was submitted late. The ACF-196P Report was due December 29, 2022, but was not submitted until January 6, 2023. Criteria: 45 CFR Section 265.9 (a) states: Each State must file an annual report containing information on the TANF program and the State’s MOE programs for that year. TANF-ACF-PI-2001-06, Clarification on Completing the Annual Reports on TANF Programs (Attachment A) and State Maintenance-of-Effort (MOE) Programs (Form ACF-204) (Attachment B) issued by ACF, recommends that State program and fiscal staff coordinate their efforts to complete the ACF-204 information. The sum of the MOE amounts claimed in this report should equal the total MOE amounts claimed under all programs on the State's 4th quarter financial reporting form ACF-196 Report. Management Directive 325.12, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risks. Management should externally communicate the necessary quality information to achieve the entity’s objectives. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Pursuant to section 403(c) of the Social Security Act, states must use the ACF-196P form to report TANF PEAF (Pandemic Emergency Assistance Fund) expenditure data. TANF-ACF-PI-2021-08, Program Instructions for the Completion of the TANF Financial Form ACF-196P for the Pandemic Emergency Assistance Fund, states that each grantee must submit completed ACF-196P forms to ACF within 90 days of the end of each federal fiscal year, that is, the quarter ending (QE) September 30. Reports for the PEAF awards for QE September 30, 2022 were due December 29, 2022. Cause: The ACF-204 Report overstatement was discovered as a result of auditor inquiry. Although OCO personnel communicated that a revised ACF196R Report was filed, program personnel did not recognize the need to revise the ACF-204 Report. Regarding the untimely filing of the ACF-196P Report, DHS asked OCO to request an extension as DHS was waiting for guidance from ACF to finalize accounting and close out the grant. The grant must be closed before OCO can prepare and file the final report. However, ACF did not grant the extension. Effect: Inaccuracies on the ACF-204 Report, could lead to the federal government’s inability to determine if the Commonwealth met its MOE requirements for the fiscal year. Furthermore, inaccurate reporting on the ACF-204 Report and untimely reporting of the ACF-196P Report could subject the Commonwealth to penalties. Recommendation: We recommend that program personnel coordinate with OCO personnel to ensure the MOE amounts reported in the ACF-204 Report are correct and equal the form ACF-196R amounts, the ACF-196P is submitted timely, and that federal reports are in compliance with federal requirements. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 ¬– 014: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2022-008) Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2023, the Department of Human Services (DHS) paid $82.4 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 18.1 percent) out of total federal TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. Our testing of DHS’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2023 disclosed that DHS performed on-site monitoring for 13 out of 14 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients’ TANF activities were documented and accurately entered in the Commonwealth’s Workforce Development System. However, DHS’s monitoring procedures for the 13 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient’s compliance with applicable federal regulations. Although DHS’s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS’s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS’s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients’ procedures to monitor Single Audits and any related findings. Our testing of the 14 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2023. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $1 million of TANF funds during the fiscal year ended June 30, 2023. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2023 –¬ 014: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services]. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS provided new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2023. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients’ monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they worked to obtain the necessary documentation to complete the on-site monitoring. However, the subrecipient had not cooperated. The grant agreement with the subrecipient expired on December 31, 2023 and the subrecipient has stopped all contact with DHS. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 021: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist Over the Preparation and Submission of the Quarterly ACF-196R Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to submit the ACF-196R, State TANF Financial Report (ACF-196R Report), on a quarterly basis, for each grant year, to the United States Department of Health and Human Services (HHS) Administration for Children and Families (ACF). The ACF-196R Report includes data related to the cumulative transfers, expenditures, and unliquidated obligations through the end of the federal fiscal year. A state must submit a quarterly ACF-196R Report for each open grant year award. During the fiscal year ended June 30, 2023, we selected 10 out of 20 quarterly ACF-196R Reports for testing. The ACF-196R Reports submitted for the quarters ended September 30, 2022 and June 30, 2023 for grant award years 2020 and 2023, respectively, included federal unliquidated obligation amounts reported on Part 1 Expenditure Data, Line 27, which did not agree to the Commonwealth’s general ledger (SAP) as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE We also analytically compared expenditures incurred during the fiscal year ended June 30, 2023 per the ACF-196R Reports to total Temporary Assistance for Needy Families (TANF) expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA) noting a difference of $53,256,607. We requested that management provide a listing of reconciling items between the ACF-196R Reports and the SEFA which resulted in the identification of an understatement of aggregate expenditures reported in the ACF-196R Reports for the report quarter ending June 30, 2023 of $45,603,714. Although the ACF-196R Reports were subjected to a documented supervisory review and approval, the existence of the misstated federal unliquidated obligation and expenditure amounts indicates that the preparation and the supervisory review and approval processes were not adequate, and a material weakness exists over the preparation and submission of the ACF-196R Report. Finding 2023 – ¬021: (continued) Criteria: 45 CFR Section 75.302, Financial management and standards for financial management system, states: (b) The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §75.341 and §75.342. 45 CFR Section 265.3, What reports must the State file on a quarterly basis?, states: (a) Quarterly reports. (1) Each State must collect on a monthly basis, and file on a quarterly basis, the data specified in the TANF Data Report and the TANF Financial Report (c) The TANF Financial Report. (1) Each State must file quarterly expenditure data on the State’s use of Federal TANF funds, State TANF expenditures, and State expenditures of MOE funds in separate State programs. (2) If a State is expending Federal TANF funds received in prior fiscal years, it must file a separate quarterly TANF Financial Report for each fiscal year that provides information on the expenditures of that year’s TANF funds. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (b) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Further, adequate internal controls over report preparation would include detailed written report preparation procedures, a segregation of duties between the preparation and the review and approval of the report, and an adequate review and approval process which would detect errors in the report preparation and ensure that such errors are corrected. Finding 2023 –¬ 021: (continued) Cause: The Commonwealth’s Office of Comptroller Operations (OCO) personnel indicated that three internal orders were set up with incorrect order group attribute codes. These errors resulted in expenditures of $45,603,714 being improperly excluded from the order group reports that were used during the compilation of the expenditure data reported in the ACF-196R Reports for the quarter ending June 30, 2023. The $9,306,287 overstatement and $231,623 understatement noted above were the result of formula errors within OCO’s workbooks used to compile the reports that were not identified prior to the submission of the corresponding reports. OCO personnel stated there is a supervisory review and approval process in place but staff turnover and additional grant responsibilities has created internal time constraints for reporting which inherently has increased the potential risk of errors not being identified during the supervisory review. Effect: Since the preparation and the supervisory review and approval processes were not adequate to ensure the accuracy of expenditures and federal unliquidated obligations, various ACF-196R Reports were misstated for the quarters ended June 30, 2023 and September 30, 2022. DHS is not in compliance with federal regulations, and a material weakness exists. If not corrected, inaccurate reporting could result in future grant awards being reduced. Recommendation: OCO should ensure that the preparation and supervisory review and approval processes for the ACF-196R Report are improved and include all required information including cumulative transfers, expenditures, and unliquidated obligations. OCO should ensure their written procedures for the preparation, review, approval, and submission of the ACF-196R Report are sufficiently detailed to ensure the ACF-196R Report is prepared accurately in accordance with federal regulations. Finally, OCO should ensure the misstated ACF-196R expenditure amounts are corrected and the revised information is submitted to ACF, in accordance with ACF guidelines. OCO Response: OCO agrees with this finding. Questioned Costs: None

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 022: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist in the Commonwealth’s FFATA Reporting Process (A Similar Condition Was Noted in Prior Year Finding 2022-012) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 – 9/30/2022), H79T1083297 (9/30/2020 – 9/29/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $112.9 million from thirteen major programs disclosed that two transactions totaling approximately $11.9 million, or 11 percent of transactions tested, were not reported to FSRS. Specifically, the two transactions for which the FFATA information was not reported occurred within two of the 13 programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2023 –¬ 022: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 022: (continued) Cause: Regarding the two transactions identified during our testing that were not reported in the FFATA database, OB-BAFM personnel indicated the awards were overlooked during the FFATA review. As a result of our inquiry, OB-BAFM Personnel indicated that these awards were subsequently uploaded to the FFATA database and FSRS as required. Effect: Since the subaward information for two transactions tested were not included in the FFATA database, the required subaward information was not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements in FSRS may recur in future periods if control deficiencies are not corrected to ensure completeness of the FFATA database. Recommendation: We recommend that OB-BAFM follow their established procedures to ensure all subrecipient contract information is included in the FFATA database to ensure that FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 015: ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Department of Human Services’ Program Monitoring of the Social Services Block Grant Subrecipients Federal Grant Number(s) and Year(s): 2301PASOSR (10/01/2022 – 9/30/2024), 2201PASOSR (10/01/2021 – 9/30/2023), 2101PASOSR (10/01/2020 – 9/30/2022) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirements: Cash Management, Subrecipient Monitoring Condition: Our examination of the Department of Human Services’ (DHS) procedures for monitoring Social Services Block Grant (SSBG) subrecipients revealed that DHS did not adequately monitor the SSBG Mental Health, Homeless Services, Child Welfare, Domestic Violence, Rape Crisis, Legal Services, and Family Planning subrecipients to ensure that SSBG awards are used in compliance with laws and regulations, which include allowable costs, period of performance, and other requirements. The inadequately monitored subrecipients received $41.0 million (or approximately 44 percent) of total SSBG program expenditures of $92.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). While we did note that DHS adequately monitored six of the 55 Mental Health County/County Joinder subrecipients which included Mental Health, Homeless Services and Child Welfare services, this coverage is not adequate. In addition, our review of the risk assessments completed for all of the aforementioned subrecipients identified several instances where subrecipient monitoring was warranted but was not conducted. No monitoring was performed on the Domestic Violence, Rape Crisis, Legal Services and Family Planning subrecipients. In addition, for the compliance requirement related to cash management, we noted that DHS advanced funds to SSBG subrecipients in four of nine program areas, representing $34.0 million (or approximately 37 percent) of SSBG program expenditures, without adequately monitoring the reasonableness of the subrecipient cash balances. In particular, for the program areas related to Mental Health, Intellectual Disabilities, Homeless Services, and Child Welfare, DHS advanced funds to subrecipients on a quarterly basis. Our inquiries with applicable DHS program administrators disclosed that DHS did not adequately monitor the four program areas’ subrecipients for cash management compliance either at the time of payment or at any other time during the fiscal year ended June 30, 2023. Furthermore, while Single Audits of SSBG subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 –¬ 015: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). 45 CFR Section 75.305(b)(1), applicable to payments to subrecipients, states in part: …Advance payments to a non-Federal entity must be limited to the minimum amounts needed and be timed to be in accordance with the actual, immediate cash requirements of the non-Federal entity in carrying out the purpose of the approved program or project. The timing and amount of advance payments must be as close as is administratively feasible to the actual disbursements by the non-Federal entity for direct program or project costs and the proportionate share of any allowable indirect costs. The non-Federal entity must make timely payment to contractors in accordance with the contract provisions. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS management indicated that risk assessment and monitoring documents were created for use during on-site monitoring of SSBG subrecipients. However, due to staffing issues, on-site monitoring was not performed for all SSBG subrecipients. Consistent with prior year audits, DHS management noted that there have been no changes to the payment methodology for the Homeless Services, Mental Health, Intellectual Disabilities, and Child Welfare components of SSBG. These programs provide subrecipients with advances to comply with Commonwealth law and also to ensure that adequate funds are available to provide services to participants on a timely basis. DHS officials believe that their in-house payment review procedures for the SSBG program are as efficient as administratively feasible and that controls exist in each of the program areas. Without on-site program monitoring visits by funding agency officials, we consider DHS’s limited in-house reviews of subrecipient status reports or other documents to be insufficient to detect potential subrecipient noncompliance, including excess cash violations. DHS does not adjust payments to the subrecipients based on in-house reviews. Effect: Since DHS does not adequately perform during-the-award monitoring of subrecipients, including the monitoring of subrecipient cash on hand, subrecipients may not be complying with applicable grant requirements and federal regulations, including cash management standards. Recommendation: DHS should perform risk based during-the-award monitoring procedures and risk assessments for all SSBG subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Finding 2023 –¬ 015: (continued) As recommended in previous Single Audits and supported by the United States Department of Health and Human Services, DHS should either consider changing their current subrecipient payment procedures from advancement basis to reimbursement basis or establish procedures to adequately monitor subrecipient cash on hand to ensure it is limited to immediate needs, but no longer than one month. The implementation and strengthening of these controls should provide DHS with reasonable assurance as to compliance with cash management requirements at the subrecipient level. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Corrections Finding 2023 –¬ 006: ALN 93.788 – Opioid STR A Material Weakness and Material Noncompliance Exist at the Department of Corrections Related to the Review of Opioid Medication Costs Federal Grant Number(s) and Year(s): H79TI083297 (9/30/2020 – 9/29/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Activities Allowed or Unallowed Condition: The Pennsylvania Department of Drug and Alcohol Programs (DDAP) administers and monitors funds to provide services for the State Opioid Response Grants (SOR) program. During the fiscal year ended June 30, 2023 the Commonwealth expended $79,631,874 for the SOR program. An allowable use of SOR funds is to procure medications that provide treatment of opioid disorder and smoking cessation to individuals within the Department of Corrections (DOC) system. To provide these treatment services to DOC, DDAP executed interagency agreements to subgrant funds to the DOC. The DOC has a contract with a sole pharmaceutical vendor to procure opioid treatment and smoking cessation medications. The DOC processes the invoices which are submitted by the pharmaceutical vendor to procure the medications. To ensure accurate and cost-effective medication pricing is being billed, DOC relies on the Department of Aging (PDOA) personnel that complete quarterly audits of medication pricing as part of the Pharmaceutical Assistance for the Elderly program. The PDOA quarterly audit reports are PDOA’s internal documents and are not typically provided to DOC unless significant anomalies are noted. The DOC does not perform any other independent review and approval of medication prices in which SOR funds are being expended. During the fiscal year ending on June 30, 2023, we tested the three United States Food and Drug Administration approved medications allowable under the SOR Grants procured by the DOC from the pharmaceutical vendor. Sublocade was one of the allowable medications tested which amounted to purchases totaling over $10 million for the fiscal year. However, this medication was not included in the PDOA quarterly audits during the fiscal year. The DOC was unable to provide any additional evidence of review or approval of Sublocade pricing. Criteria: 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 006: (continued) 2 CFR Section 200.404, Reasonable costs, states: A cost is reasonable if, in its nature and amount, it does not exceed that which would be incurred by a prudent person under the circumstances prevailing at the time the decision was made to incur the cost. The question of reasonableness is particularly important when the non-Federal entity is predominantly federally-funded. In determining reasonableness of a given cost, consideration must be given to: (a) Whether the cost is of a type generally recognized as ordinary and necessary for the operation of the non-Federal entity or the proper and efficient performance of the Federal award. (b) The restraints or requirements imposed by such factors as: sound business practices; arm's-length bargaining; Federal, state, local, tribal, and other laws and regulations; and terms and conditions of the Federal award. (c) Market prices for comparable goods or services for the geographic area. (d) Whether the individuals concerned acted with prudence in the circumstances considering their responsibilities to the non-Federal entity, its employees, where applicable its students or membership, the public at large, and the Federal Government. (e) Whether the non-Federal entity significantly deviates from its established practices and policies regarding the incurrence of costs, which may unjustifiably increase the Federal award's cost. Cause: DOC did not implement policies and procedures to ensure billed medication prices are accurate and cost effective. Effect: Without review and validation of the prices, DOC may procure medications at higher rates than necessary or correct which would result in overbilling and improper use of SOR funds. Recommendation: We recommend that DOC implement formal policies and procedures to review and approve procured medications and services. Agency Response: DOC agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Drug and Alcohol Programs Finding 2023 –¬ 007: ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist at the Department of Drug and Alcohol Programs Related to Submission of Performance Progress Reports Federal Grant Number(s) and Year(s): H79TI083297 (9/30/2020 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Pennsylvania Department of Drug and Alcohol Programs (DDAP) is required to submit biannual Performance Progress Reports (PPR) to the United States Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) for the components of State Opioid Response Grants (SOR) program. The PPR reports support the collection of data pertaining to the services provided by the 47 Single County Authorities (SCA) throughout the Commonwealth. SAMHSA awards Opioid grants to DDAP for the purpose of administration of the SOR program. The SOR program provides SCAs critical funding and support needed to address the opioid epidemic within the Commonwealth. SCAs must provide a variety of services to recipients including but not limited to treatment of opioid disorder, treatment of stimulant disorder, and recovery support services under the Public Health Services Act (42 U.S.C. 300x-21 et seq). During the fiscal year ended June 30, 2023, DDAP was required to submit year end PPRs for the SOR I and SOR II grants for the period September 30, 2021 through September 29, 2022. In addition, DDAP was required to submit mid-year PPRs for SOR II and SOR III grants for the period September 30, 2022 through March 31, 2023. As the direct recipient of SOR funds, DDAP is responsible for ensuring the timeliness and accuracy of the mid-year and final report submissions. DDAP obtained summary information from the SCAs to compile and submit the PPR reports which contained all required data elements. However, DDAP did not implement policies and procedures to ensure the accuracy of the information reported by the SCAs. Therefore, DDAP was unable to provide supporting documentation for amounts reported by SCAs on the PPR reports or to demonstrate that DDAP had reviewed and verified the accuracy of this information. Criteria: The SOR Program guidance for PPR published by SAMSHA states: • Recipients are required to report on their progress addressing the goals and objectives identified in the FOA. • Recipients are required to submit a Mid-Year and Annual Report on the progress achieved, barriers encountered and efforts to overcome these barriers. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Finding 2023 –¬ 007: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DDAP did not implement policies and procedures to ensure the accuracy of information reported by SCAs which was included on the PPRs. Effect: Without review and validation of the detail supporting the summary information reported by SCAs, the PPRs may have contained inaccurate information. Recommendation: We recommend that DDAP implement formal policies and procedures to verify the information reported. Agency Response: DDAP agrees with the concern indicated in this finding regarding lack of policies and procedures to ensure the accuracy of information reported by SCAs, which is included on the PPRs. The Department contracts with 47 SCAs through 5-year grant agreements for the provision of prevention, intervention, treatment/treatment-related, and recovery support services throughout the Commonwealth. Each year, DDAP’s Division of Program Monitoring staff monitors all SCAs to assess compliance as well as evaluate the SCA’s performance. Although the Department has developed and implemented an extensive monitoring process as it relates to the SCAs, the process does not include steps to validate the accuracy of information requested from the SCAs for the PPRs as required by SAMHSA for the SOR program. The Department understands the necessity to establish policies and procedures to ensure the accuracy of information reported by SCAs. Going forward, DDAP will develop and implement a plan to validate SCA information being reported and will incorporate this process into the SCA monitoring. Questioned Costs: The amount of questioned costs cannot be determined.

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 022: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist in the Commonwealth’s FFATA Reporting Process (A Similar Condition Was Noted in Prior Year Finding 2022-012) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 – 9/30/2022), H79T1083297 (9/30/2020 – 9/29/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $112.9 million from thirteen major programs disclosed that two transactions totaling approximately $11.9 million, or 11 percent of transactions tested, were not reported to FSRS. Specifically, the two transactions for which the FFATA information was not reported occurred within two of the 13 programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2023 –¬ 022: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 022: (continued) Cause: Regarding the two transactions identified during our testing that were not reported in the FFATA database, OB-BAFM personnel indicated the awards were overlooked during the FFATA review. As a result of our inquiry, OB-BAFM Personnel indicated that these awards were subsequently uploaded to the FFATA database and FSRS as required. Effect: Since the subaward information for two transactions tested were not included in the FFATA database, the required subaward information was not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements in FSRS may recur in future periods if control deficiencies are not corrected to ensure completeness of the FFATA database. Recommendation: We recommend that OB-BAFM follow their established procedures to ensure all subrecipient contract information is included in the FFATA database to ensure that FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 – 004: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) Controls Over the Accountability of Donated Foods Need Improvement (A Similar Condition Was Noted in Prior Year Finding 2022-010) Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA365N8903 (10/01/2022 – 9/30/2024), 221PA365N8903 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to Accountability for USDA - Donated Foods Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), is responsible for the accountability of the United States Department of Agriculture (USDA) donated food under the National School Lunch Program (NSLP) and Summer Food Service Program for Children (SFSP) within the Child and Nutrition Cluster (CNC). BFA utilizes a computer application as an inventory and distribution tracking system for donated food. The Agency Summary Report, Commodity Inventory Report for Distributors, and Commodity Inventory Report for Processors are generated in the computer application to compile commodity expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA). BFA performs reconciliations of the inventory, commodity receipts, and distributions in these reports to distributor, processor, and recipient activity. A monthly performance report (MPR) is submitted to BFA by processors to support commodity activity. We noted a discrepancy between a processor’s MPR and BFA’s Commodity Inventory Report. We noted the following discrepancy in this reconciliation: • Our testing of 40 processor MPRs disclosed that for one processor, BFA duplicated a receipt on their Commodity Inventory Report which was prepared from the inventory application. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the CNC Cluster, Special Tests and Provisions – N.2 Accountability for USDA – Donated Foods, states: a. Maintenance of Records: Distributing and subdistributing agencies (as defined at 7 CFR section 250.3) must maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. 7 CFR Section 250.19, Recordkeeping requirements, states: (a) Required records. Distributing agencies, recipient agencies, processors, and other entities must maintain records of agreements and contracts, reports, audits, and claim actions, funds obtained as an incident of donated food distribution, and other records specifically required in this part or in other Departmental regulations, as applicable. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDA management stated that inventory received was erroneously duplicated for the processor indicated above. Finding 2023 – 004: (continued) Effect: The discrepancies noted above related to inaccurate records could result in improper distribution of donated foods and misstatements in BFA’s inventory reconciliations and commodity expenditures reported in the SEFA. Recommendation: PDA should maintain accurate and complete records with respect to the receipt, distribution, and inventory of USDA-donated foods, including end products processed from donated food. PDA should strengthen procedures for future periods to ensure errors identified during the reconciliation process are corrected timely in the system. Agency Response: PDA agrees with the facts of the finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Agriculture Finding 2023 ¬– 005: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Agriculture Monitoring of Food Distribution Cluster Subrecipients Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Agriculture (PDA), Bureau of Food Assistance (BFA), administers the operations of the Food Distribution Cluster (FDC). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $78.9 million or approximately 95 percent of total federal program expenditures of $83.3 million. PDA performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. For the Emergency Food Assistance Program (TEFAP), PDA must perform annual reviews for at least 25 percent of subrecipients who have signed agreements with PDA and no less frequent than once every four years. For the Commodity Supplemental Food Program (CSFP), PDA must perform an on-site review of all subrecipients at least once every two years. As part of our testing of subrecipient monitoring, we selected nine subrecipients to test PDA’s monitoring procedures. We verified that PDA performed monitoring reviews within the required period. Our testing disclosed that PDA failed to monitor one of the 17 CSFP subrecipients in the two-year period from July 1, 2021 through June 30, 2023. Criteria: 7 CFR Section 251.10 (e) (2) regarding TEFAP state monitoring system states: Unless specific exceptions are approved in writing by FNS, the State agency monitoring system must include: (i) An annual review of at least 25 percent of all eligible recipient agencies which have signed an agreement with the State agency pursuant to § 251.2(c), provided that each such agency must be reviewed no less frequently than once every four years; and (ii) An annual review of one-tenth or 20, whichever is fewer, of all eligible recipient agencies which receive TEFAP commodities and/or administrative funds pursuant to an agreement with another eligible recipient agency. Reviews must be conducted, to the maximum extent feasible, simultaneously with actual distribution of commodities and/or meal service, and eligibility determinations, if applicable. State agencies must develop a system for selecting eligible recipient agencies for review that ensures deficiencies in program administration are detected and resolved in an effective and efficient manner. 7 CFR Section 247.34 (a) regarding CSFP management reviews states: The State agency must establish a management review system to ensure that local agencies, subdistributing agencies, and other agencies conducting program activities meet program requirements and objectives. As part of the system, the State agency must perform an on-site review of all local agencies, and of all storage facilities utilized by local agencies, at least once every two years. As part of the on-site review, the State agency must evaluate all aspects of program administration, including certification procedures, nutrition education, civil rights compliance, food storage practices, inventory controls, and financial management systems. In addition to conducting on-site reviews, the State agency must evaluate program administration on an ongoing basis by reviewing financial reports, audit reports, food orders, inventory reports, and other relevant information. Finding 2023 –¬ 005: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Cause: PDA management stated that the subrecipient was to be reviewed in April 2023, but due to new staff assigned to the review, management decided to delay the review for a period of one year to April 2024. Effect: When subrecipients are not reviewed timely, subrecipients may continue to operate in noncompliance with program regulations. Recommendation: We recommend that PDA implement procedures necessary to ensure subrecipients are timely monitored in accordance with FDC program regulations. Agency Response: PDA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 –¬ 008: ALN 10.558 – Child and Adult Care Food Program A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Education Monitoring of Child and Adult Care Food Program Subrecipients Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Education (PDE), Division of Food and Nutrition, Bureau of Budget and Fiscal Management, administers the operations of the Child and Adult Care Food Program (CACFP). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $117.9 million or approximately 99 percent of total federal program expenditures of $119 million. As part of our testing of subrecipient monitoring, we selected 40 subrecipients to test PDE’s monitoring procedures. PDE performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. The United States Department of Agriculture waived the CACFP monitoring requirement included in 7 CFR Section 226.6 (m) (6) to be conducted on-site through June 30, 2023. However, state agencies that elected to use the waiver were still required to continue monitoring activities of program operations off-site. Independent centers and sponsoring organizations (subrecipients) of one to 100 facilities must be reviewed once every three years, and sponsoring organizations with more than 100 facilities must be reviewed once every two years. PDE uses standardized monitoring reports to document its review of each subrecipient, noting deficiencies and areas for improvement. PDE communicates any deficiencies noted and recommendations to the subrecipient and requires the subrecipient to submit corrective action documents (CAD) to PDE. PDE then reviews and evaluates responses submitted on the CAD for adequacy. 7 CFR Section 226.6 (o) requires PDE to ensure the corrective actions are approved within a time period specified by PDE. Applicable to the current audit period, PDE’s internal procedures in Standard Operating Procedure (SOP) #FS-RS-CACFP-05, state that the review must be closed within 180 days of the exit date. To close an administrative review, PDE must either approve the subrecipient’s response to the CAD or issue a notice of serious deficiency to the subrecipient if acceptable responses to the CAD are not received. PDE’s responsibility for financial management requires it to have a system in place for monitoring and reviewing subrecipients’ documentation of their nonprofit status. The resource management section of PDE’s monitoring instrument contains steps to ensure the subrecipients have a nonprofit status. We sampled 40 of PDE’s reviews of subrecipients out of a population of 317 reviews scheduled during program year October 2021 to September 2022. We audited this period because PDE tracks their subrecipient monitoring based on a federal fiscal year basis. We noted the following deficiencies in our monitoring testing: • For three reviews that were closed by PDE for the program year and had a final determination letter issued, PDE did not close the reviews within the required 180 days. These reviews did not include any complex findings that would have required more time to close. The number of days these reviews were closed beyond 180 days ranged from 28 to 33 days with an average of 30 days. • For one review completed by PDE for the program year, PDE identified a deficiency, that the sponsor did not maintain a nonprofit status as required; however, the reviewer did not write or issue a CAD to the sponsor. Also, it did not appear that the regional supervisor identified it while processing the review. Finding 2023 ¬– 008: (continued) Criteria: 7 CFR Section 226.6 (o) regarding child care standards for compliance states: The State agency shall, when conducting administrative reviews of child care centers, and day care homes approved by the State agency under paragraph (d)(3) of this section, determine compliance with the child care standards used to establish eligibility, and the institution shall ensure that all violations are corrected and the State shall ensure that the institution has corrected all violations. If violations are not corrected within the specified timeframe for corrective action, the State agency must issue a notice of serious deficiency… PDE’s CACFP procedures regarding the performance of CACFP reviews of subrecipients, as specified in SOP #FS-RS-CACFP-05, state only that the “Review must be closed by 180 days after exit date.” This 180 days includes the issuance of any necessary findings and follow-up on CADs. 7 CFR Section 226.7 (b) (1) (iii) regarding state agency responsibilities for financial management states: State agencies must also have a system in place for: Monitoring and reviewing the institutions' documentation of their nonprofit status to ensure that all Program reimbursement funds are used solely for the conduct of the food service operation or to improve food service operations, principally for the benefit of children or adult participants. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE management does not believe that the agency has a regulatory requirement to specify a time period for closing a review. 7 CFR Section 226 (o) indicates that the state shall ensure the institution has corrected all violations within the specified timeframe. PDE’s procedures in SOP #FS-RS-CACFP-05 states that an administrative review must close within 180 days after exit date, which requires PDE to either approve the subrecipient’s CAD or issue a notice of serious deficiency, if necessary. However, PDE believes the 180-day requirement is an internal policy and allows for exceptions. PDE management further stated that the delays were due to staffing changes and shortages and failure to issue a CAD for sponsor noncompliance was due to reviewer oversight. Effect: When findings and CADs are not reviewed, approved, and closed by PDE timely, subrecipients may continue to operate in noncompliance with program regulations. Permitting subrecipients to operate in violation of program requirements for extended periods of time increases the likelihood that funds may not be spent for intended purposes or in accordance with program requirements. Furthermore, untimely closure of findings and CADs by PDE increases the likelihood that individuals served by the program are not receiving the benefits that are paid for with CACFP funds. PDE’s failure to ensure sponsors are operating in a nonprofit status can result in subrecipients operating in noncompliance with program regulations where program reimbursement funds may be used for non-food service operations. Recommendation: We recommend that PDE management increase its review and oversight efforts. PDE should implement procedures necessary to ensure subrecipients are timely monitored, and monitoring findings and CADs are prepared, presented, and timely followed up on in accordance with CACFP program regulations. Agency Response: PDE disagrees with the portion of the finding as it pertains to timeliness of closing review and agrees with the portion of the finding that pertains to a sponsor who was not provided a CAD in response to an identified deficiency. Finding 2023 –¬ 008: (continued) Auditors’ Conclusion: As stated in the criteria above, we believe 7 CFR Section 226.6 (o) clearly states that the state agency must establish a specified timeframe for ensuring subrecipient corrective action has taken place. PDE’s SOP #FS-RS-CACFP-05 states the period is 180 days to close a review. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 –¬ 008: ALN 10.558 – Child and Adult Care Food Program A Significant Deficiency and Noncompliance Exist in Pennsylvania Department of Education Monitoring of Child and Adult Care Food Program Subrecipients Federal Grant Number(s) and Year(s): 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA305N1099 (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Pennsylvania Department of Education (PDE), Division of Food and Nutrition, Bureau of Budget and Fiscal Management, administers the operations of the Child and Adult Care Food Program (CACFP). During the fiscal year ended June 30, 2023, subrecipient expenditures accounted for $117.9 million or approximately 99 percent of total federal program expenditures of $119 million. As part of our testing of subrecipient monitoring, we selected 40 subrecipients to test PDE’s monitoring procedures. PDE performs on-site monitoring of subrecipients to ensure compliance with federal program regulations. The United States Department of Agriculture waived the CACFP monitoring requirement included in 7 CFR Section 226.6 (m) (6) to be conducted on-site through June 30, 2023. However, state agencies that elected to use the waiver were still required to continue monitoring activities of program operations off-site. Independent centers and sponsoring organizations (subrecipients) of one to 100 facilities must be reviewed once every three years, and sponsoring organizations with more than 100 facilities must be reviewed once every two years. PDE uses standardized monitoring reports to document its review of each subrecipient, noting deficiencies and areas for improvement. PDE communicates any deficiencies noted and recommendations to the subrecipient and requires the subrecipient to submit corrective action documents (CAD) to PDE. PDE then reviews and evaluates responses submitted on the CAD for adequacy. 7 CFR Section 226.6 (o) requires PDE to ensure the corrective actions are approved within a time period specified by PDE. Applicable to the current audit period, PDE’s internal procedures in Standard Operating Procedure (SOP) #FS-RS-CACFP-05, state that the review must be closed within 180 days of the exit date. To close an administrative review, PDE must either approve the subrecipient’s response to the CAD or issue a notice of serious deficiency to the subrecipient if acceptable responses to the CAD are not received. PDE’s responsibility for financial management requires it to have a system in place for monitoring and reviewing subrecipients’ documentation of their nonprofit status. The resource management section of PDE’s monitoring instrument contains steps to ensure the subrecipients have a nonprofit status. We sampled 40 of PDE’s reviews of subrecipients out of a population of 317 reviews scheduled during program year October 2021 to September 2022. We audited this period because PDE tracks their subrecipient monitoring based on a federal fiscal year basis. We noted the following deficiencies in our monitoring testing: • For three reviews that were closed by PDE for the program year and had a final determination letter issued, PDE did not close the reviews within the required 180 days. These reviews did not include any complex findings that would have required more time to close. The number of days these reviews were closed beyond 180 days ranged from 28 to 33 days with an average of 30 days. • For one review completed by PDE for the program year, PDE identified a deficiency, that the sponsor did not maintain a nonprofit status as required; however, the reviewer did not write or issue a CAD to the sponsor. Also, it did not appear that the regional supervisor identified it while processing the review. Finding 2023 ¬– 008: (continued) Criteria: 7 CFR Section 226.6 (o) regarding child care standards for compliance states: The State agency shall, when conducting administrative reviews of child care centers, and day care homes approved by the State agency under paragraph (d)(3) of this section, determine compliance with the child care standards used to establish eligibility, and the institution shall ensure that all violations are corrected and the State shall ensure that the institution has corrected all violations. If violations are not corrected within the specified timeframe for corrective action, the State agency must issue a notice of serious deficiency… PDE’s CACFP procedures regarding the performance of CACFP reviews of subrecipients, as specified in SOP #FS-RS-CACFP-05, state only that the “Review must be closed by 180 days after exit date.” This 180 days includes the issuance of any necessary findings and follow-up on CADs. 7 CFR Section 226.7 (b) (1) (iii) regarding state agency responsibilities for financial management states: State agencies must also have a system in place for: Monitoring and reviewing the institutions' documentation of their nonprofit status to ensure that all Program reimbursement funds are used solely for the conduct of the food service operation or to improve food service operations, principally for the benefit of children or adult participants. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PDE management does not believe that the agency has a regulatory requirement to specify a time period for closing a review. 7 CFR Section 226 (o) indicates that the state shall ensure the institution has corrected all violations within the specified timeframe. PDE’s procedures in SOP #FS-RS-CACFP-05 states that an administrative review must close within 180 days after exit date, which requires PDE to either approve the subrecipient’s CAD or issue a notice of serious deficiency, if necessary. However, PDE believes the 180-day requirement is an internal policy and allows for exceptions. PDE management further stated that the delays were due to staffing changes and shortages and failure to issue a CAD for sponsor noncompliance was due to reviewer oversight. Effect: When findings and CADs are not reviewed, approved, and closed by PDE timely, subrecipients may continue to operate in noncompliance with program regulations. Permitting subrecipients to operate in violation of program requirements for extended periods of time increases the likelihood that funds may not be spent for intended purposes or in accordance with program requirements. Furthermore, untimely closure of findings and CADs by PDE increases the likelihood that individuals served by the program are not receiving the benefits that are paid for with CACFP funds. PDE’s failure to ensure sponsors are operating in a nonprofit status can result in subrecipients operating in noncompliance with program regulations where program reimbursement funds may be used for non-food service operations. Recommendation: We recommend that PDE management increase its review and oversight efforts. PDE should implement procedures necessary to ensure subrecipients are timely monitored, and monitoring findings and CADs are prepared, presented, and timely followed up on in accordance with CACFP program regulations. Agency Response: PDE disagrees with the portion of the finding as it pertains to timeliness of closing review and agrees with the portion of the finding that pertains to a sponsor who was not provided a CAD in response to an identified deficiency. Finding 2023 –¬ 008: (continued) Auditors’ Conclusion: As stated in the criteria above, we believe 7 CFR Section 226.6 (o) clearly states that the state agency must establish a specified timeframe for ensuring subrecipient corrective action has taken place. PDE’s SOP #FS-RS-CACFP-05 states the period is 180 days to close a review. The finding remains as stated. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Environmental Protection Finding 2023 –¬ 010: ALN 15.252 – Abandoned Mine Land Reclamation A Material Weakness and Material Noncompliance Exist at the Department of Environmental Protection Related to Subrecipient Monitoring (A Similar Condition Was Noted in Prior Year Finding 2022-005) Federal Grant Number(s) and Year(s): S22AF00017 (1/01/2022 – 12/31/2024), S21AF10015 (1/01/2021 – 12/31/2023), S20AF20092 (10/01/2020 – 9/30/2023), S20AF20006 (1/01/2020 –¬ 12/31/2022), S19AF20004 (12/01/2018 – 11/30/2023), S18AF20004 (11/01/2017 – 10/31/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: The Department of Environmental Protection (DEP) administers the Abandoned Mine Land Reclamation (AMLR) program funded by the United States Department of the Interior (DOI). During the fiscal year ended June 30, 2023, DEP expended $60,055,889 within the AMLR program, of which $6,478,271 was paid to 16 subrecipient entities to provide abandoned mine land reclamation repairs and services throughout Pennsylvania. Up until the fiscal year ended June 30, 2022 timeframe, DEP considered these entities to be contractors and not subrecipients. However, once the entities were determined to be subrecipients, DEP began implementing procedures to ensure federal monitoring requirements were met to include on-site monitoring of subrecipient projects with signed Grant Manager monitoring report forms evidencing visit results. DEP also implemented subrecipient requirements of minimum quarterly Work Progress Reports and annual subrecipient Financial and Performance Reports. Our testing found these procedures were not implemented fully nor timely to ensure compliance throughout the fiscal year ended June 30, 2023. For a sample of six of the sixteen subrecipients, we reviewed relevant project correspondence and documentation to determine if DEP adequately monitored subrecipient projects and documented the results in accordance with procedures. Our testing found three of the six had sufficient documentation of on-site visits evidencing DEP oversight of the projects. However, only one included the subrecipient Work Progress Report and DEP manager signed monitoring report form; both required per DEP procedures. Due to the timing of procedure implementation, no subrecipient Financial and Performance Reports were submitted during the period. One of the six tested had project deficiencies. Sufficient evidence was available to show appropriate DEP follow-up and resolution. While Single Audits of the AMLR subrecipients may be conducted each year, this auditing activity does not compensate for during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: As part of administering the AMLR program, DEP must have policies, procedures, and controls in place to ensure compliance with federal requirements regarding pass-through entity monitoring of subrecipients. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2023 –¬ 010: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 200.521 [Management decision]. (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services]. The standard contract agreement between DEP and the local grantee states, in part: Audit/Compliance Review Requirements - The contractor must comply with all applicable federal and state grant requirements including the Single Audit Act Amendments of 1996; 2 CFR Part 200 as amended; and any other applicable law or regulation, and any amendment to such other applicable law or regulation that may be enacted or promulgated by the federal government. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Once the determination was made that the contracts with these entities represented subrecipient agreements, DEP began implementing control procedures to ensure federal requirements were met and adequately documented. However, due to the transition time needed for implementation, we found these procedures were not fully or consistently implemented during the audit period. Effect: Without sufficient subrecipient monitoring, DEP cannot ensure compliance with federal statutes, regulations, and the terms and conditions of the subrecipient agreements. In addition, DEP cannot confirm that subrecipients are performing satisfactory work, ensure the efficient use of program resources, and minimize the risk for fraud and abuse. Completing on-site monitoring activities consistently and as designed is essential for DEP to determine whether the subrecipients are complying with federal regulations and spending grant funds appropriately. Recommendation: We recommend DEP continue to implement their written procedures for performing during-the-award subrecipient monitoring to ensure timely subrecipient compliance with federal regulations. On-site monitoring visits by DEP Grant Managers should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: DEP agrees with the facts presented in this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Environmental Protection Finding 2023 –¬ 011: ALN 15.252 – Abandoned Mine Land Reclamation A Material Weakness and Material Noncompliance Exist at the Department of Environmental Protection Related to Cash Management of Federal Funds Federal Grant Number(s) and Year(s): S21AF10050 (6/01/2021 – 5/31/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Cash Management Condition: The Department of Environmental Protection (DEP) administers the Abandoned Mine Land Reclamation (AMLR) program funded by the United States Department of the Interior (DOI). During the fiscal year ended June 30, 2023, DEP expended $60,055,889 within the AMLR program, $8,900,470 or 14.8% of which was transferred to the Commonwealth Department of General Services (DGS) on July 6, 2022. DEP signed a Letter of Commitment (LOC) with DGS agreeing to transfer the funds as partial funding of a Capital Budget project for a third-party contractor to construct a new Acid Mine Drainage treatment facility estimated to cost approximately $26 million. Once transferred to DGS, these federal funds were combined with state Capital Budget funds and encumbered until project contractor payments began later in the fiscal year. Our review of transaction dates disclosed that DEP drew down $8,900,470 of AMLR federal funds on July 8, 2022; however, contractor payments did not begin until November 2022. A total of $9.1 million in contract payments were expended by the Commonwealth between November 2022 and June 30, 2023 fiscal year end. Therefore, DEP did not adequately limit the time between the drawdown of federal funds and the Commonwealth’s need for those funds, resulting in noncompliance with federal cash management regulations. Criteria: As part of administering the AMLR program, DEP must have policies, procedures, and controls in place to ensure compliance with federal cash management requirements and regulations. 2 CFR Section 200.305 (a), Federal Payment for pass through entities, states in part: a) For states, payments are governed by Treasury-State Cash Management Improvement Act (CMIA) agreements and default procedures codified at 31 CFR part 205. 31 CFR Section 205.33 (a) states in part: (a) A State must minimize the time between the drawdown of Federal funds from the Federal government and their disbursement for Federal program purposes. A Federal Program Agency must limit a funds transfer to a State to the minimum amounts needed by the State and must time the disbursement to be in accord with the actual, immediate cash requirements of the State in carrying out a Federal assistance program or project. The timing and amount of funds transfers must be as close as is administratively feasible to a State's actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs. States should exercise sound cash management in funds transfers to subgrantees… Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Finding 2023 –¬ 011: (continued) Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: DGS has sole oversight of Capital Budget projects, one of which was partially funded by AMLR funds under the LOC between DEP and DGS. To have funds available for timely contract award, it is DGS practice to bill the agency for the entirety of the funds committed, including federal funds in this case, when a LOC is executed. Once transferred from the agency, funds are encumbered and held until project contractor payments are made. DEP did not have procedures in place to minimize the time between the drawdown of federal funds and their disbursement by DGS for project purposes. Effect: DEP did not minimize the time elapsing between the drawdown of $8,900,470 in AMLR funds and the actual need for the funds, resulting in noncompliance with federal cash management regulations. Recommendation: We recommend DEP implement policies and procedures when a LOC is executed for any future Capital Budget projects to minimize the time federal funds are held by the Commonwealth. Agency Response: DEP agrees with the facts presented in this finding. Questioned Costs: None

Office of the Budget – Governor’s Budget Office Finding 2023 –¬ 020: ALN 21.027 – COVID-19 – Coronavirus State and Local Fiscal Recovery Funds A Significant Deficiency and Noncompliance Exist at the Governor’s Budget Office Related to the Quarterly Project and Expenditure Report Federal Grant Number(s) and Year(s): TN75GJE1S7G3 (3/03/2021 – 12/31/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: Two of 4 quarterly Project and Expenditure Reports were selected for testing. The Office of the Budget, Governor’s Budget Office (GBO) reported incomplete capital project information in these quarterly reports. Specifically, the following exceptions were noted: • A project’s description allows capital expenditures by beneficiaries, but GBO has reported it as a non-capital project on both quarterly Project and Expenditure reports. In addition, the Pennsylvania Emergency Management Agency (PEMA) does not require the beneficiaries receiving funding under this project to report their capital expenditures to PEMA. Therefore, GBO is unable to determine the amount of capital expenditures obligated and expended for this project. • A capital project in excess of $10 million was reported as a non-capital project on the March 31, 2023 quarterly report. GBO believes they correctly reported the project as a capital project, but the reporting portal incorrectly recorded their submission. However, GBO was unable to provide documentation that the project was identified as a capital project in their submission to the U.S. Treasury. • On the June 30, 2023 quarterly report, the project was correctly reported as a capital project and the required written justification was included, however, the justification did not include all required elements. Criteria: Per the Compliance and Reporting Guidance issued by the United States Department of the Treasury, recipients must report if a project includes capital expenditures, the type of capital expenditure, and the amount of capital expenditures obligated and expended. Per 31 CFR Section 35.6(b)(4), a recipient, other than a Tribal government, must prepare written justifications for capital projects with capital expenditures enumerated by Treasury in the final rule and with total capital expenditures greater than $10 million. Such written justifications must include the following elements: (i) Describe the harm or need to be addressed; (ii) Explain why a capital expenditure is appropriate; and (iii) Compare the proposed capital expenditure to at least two alternative capital expenditures and demonstrate why the proposed capital expenditure is superior. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Finding 2023 –¬ 020: (continued) Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: PEMA issued awards to 666 local Emergency Management Services (EMS) companies and the companies were allowed to expend the funds on a variety of uses, including capital expenditures. PEMA did not obtain detail of capital expenditures incurred from the companies and was therefore unable to provide the information to GBO for inclusion on the Project and Expenditure Reports. The required elements for capital project justifications are summarized on page 4390 of the Final Rule, but they are not mentioned in the Project and Expenditure Report User Guide nor in the Compliance and Reporting Guidance. Therefore, GBO was unaware that it was necessary to include specific elements in the justification. Effect: GBO did not properly identify and report capital projects. Errors included omitting capital project obligations and expenditures and incomplete justifications for a capital project greater than $10 million. Recommendation: We recommend that GBO ensures that all capital projects are properly reported and that justifications for capital projects greater than $10 million include all required elements. We further recommend that PEMA beneficiaries be required to submit expenditure detail to allow GBO to correctly report capital expenditures obligated and expended. Agency Response: GBO agrees with this finding. Limitations in the federal reporting portal, changing federal guidance, and the nature of programs being implemented which may be used for capital expenditures and a myriad of other non-capital uses complicates reporting compliance. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Labor and Industry Office of Administration – Office for Information Technology – Employment, Banking and Revenue Delivery Center Finding 2023 –¬ 017: ALN 84.126 – Rehabilitation Services – Vocational Rehabilitation Grants to States Inappropriate Privileged Access Granted to Program Personnel Federal Grant Number(s) and Year(s): – H126A220056 (10/01/2020 – 9/30/2021), H126A230056 (10/01/2021 – 9/30/2022), H126A230056 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance Compliance Requirement: Other Condition: As part of testing internal controls over the Vocational Rehabilitation Grants to States program, we performed certain tests of information technology (IT) general controls over a computer application used by the Department of Labor and Industry, Office of Vocational Rehabilitation (OVR) and supported by the Office of Administration – Office for Information Technology (OA-OIT) – Employment, Banking and Revenue (EBR) Delivery Center. During our testing we noted that an inappropriate application administrator role was assigned to 19 users who did not require the role to perform their job duties. Details of this issue have been provided to OVR and the EBR Delivery Center for corrective action. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). • Green Book Principle 11 – Design Activities for the Information System, states in part: o 11.12 Management designs control activities over access to protect an entity from inappropriate access and unauthorized use of the system. These control activities support appropriate segregation of duties. By preventing unauthorized use of and changes to the system, data and program integrity are protected from malicious intent (e.g., someone breaking into the technology to commit fraud, vandalism, or terrorism) or error. o 11.14 Management designs control activities to limit user access to information technology through authorization control activities, such as providing a unique user identification or token to authorized users. These control activities may restrict authorized users to the applications or functions commensurate with their assigned responsibilities, supporting an appropriate segregation of duties. Management designs other control activities to promptly update access rights when employees change job functions or leave the entity. Information Technology Policy – OPD SEC007a – Configurations for IDs, Passwords, and Multi-Factor Authentication, revised July 12, 2022, section 3.7 states, in part, • Least privileged. By default, all accounts should be assigned the lowest level of permissions. If elevated permissions are required a change request should be submitted and approved before elevated permissions are granted to any account. A well-designed system of internal controls dictates that effective IT general controls, which includes access controls to programs and data, be established and functioning to ensure that overall agency operations are conducted in accordance with management’s intent. Finding 2023 –¬ 017: (continued) Cause: OVR management requested the privileged role be added to the profiles of the 19 users to allow the users to resolve an access issue. Rather than creating a new role designed to narrowly accommodate the access needs of the users, the existing process followed by an EBR Delivery Center Systems administrator granted an existing privileged role to the users that also gave them the ability to add and delete users from the application as well as assign other powerful roles. Further, OVR’s periodic review of user access performed during the audit period failed to identify the additional permissions granted by the use of the privileged role assignments. The inappropriate role was removed from the users’ profiles after the audit period once the auditors pointed out the issue. Effect: Assigning inappropriate access to users could result in unauthorized changes to the application and data, misuse of the application, or system actions outside management’s intent, which could result in noncompliance with federal laws and regulations. Further, without properly functioning IT general controls, the auditors are precluded from reliance on computer controls in the Rehabilitation Services program. Recommendation: We recommend that OVR management and EBR Delivery Center management work together to: • Update the user access request form to clarify the circumstances under which privileged roles may be assigned to application users; • Provide training to personnel on the Commonwealth policy noted above requiring least privilege; • Consider creating new privileged roles that allow administrators to assign the lowest level of permissions; • Consider creating a process to grant temporary access to administrative roles in special situations; and • Ensure the periodic access reviews of users include an assessment of the appropriateness of role assignments. Agency Response: Department of Labor and Industry – Office of Vocational Rehabilitation and the Office of Administration – Office for Information Technology – Employment, Banking and Revenue Delivery Center agree with the finding. Questioned Costs: None

Department of Labor and Industry Finding 2023 – 018: ALN 84.126 – Rehabilitation Services – Vocational Rehabilitation Grants to States A Significant Deficiency and Noncompliance Exist in the Department of Labor and Industry’s Procedures Related to Period of Performance Requirements Federal Grant Number(s) and Year(s): H126A210056 (10/01/2020 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Period of Performance Condition: During our audit of the Rehabilitation Services – Vocational Rehabilitation Grants to States (RS-VR) program, we tested internal control over and compliance with period of performance requirements for the grant awarded by the United States Department of Education that had a period of performance date ending during the fiscal year ended June 30, 2023 audit period. • Two of 55 expenditures tested that were charged to the federal fiscal year 2021 RS-VR grant that closed during the audit period, were incurred after the allowable period of performance. These expenditures included two rental payments totaling $8,763. Both payments were for November 2022 rental charges but were charged to the grant which had a period end date of September 30, 2022. Expenditures posted in the last month of the allowable period of performance and after (including the two rental payments) totaled $36,651,862. Management was unable to provide authorization from the federal awarding agency for allowance of the expenditures occurring outside of the period of performance. Criteria: 2 CFR Section 200.303(a), Internal controls, states: The non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2 CFR Section 200.309, Period of performance, states: A non-Federal entity may charge to the Federal award only allowable costs incurred during the period of performance (except as described in §200.461 Publication and printing costs) and any costs incurred before the Federal awarding agency or pass-through entity made the award that were authorized by the Federal awarding agency or pass-through entity. Management Directive 325.12, Amended, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 – 018: (continued) Cause: Office of Vocational Rehabilitation (OVR), Pennsylvania Department of Labor and Industry personnel did not check service dates prior to submitting invoices for payment which were charged to the federal fiscal year 2021 grant. OVR personnel did not have adequate procedures in place to ensure that only costs incurred during the allowable period of performance were charged to the grant. Effect: Expenditures outside of the allowable period of performance were incorrectly charged to the grant without authorization by the federal awarding agency, resulting in noncompliance and questioned costs. Recommendation: We recommend that OVR personnel implement procedures to ensure that costs and adjustments being charged to a federal grant are incurred within the allowable period of performance of the grant to which they are being charged, or when necessary, obtain authorization from the federal awarding agency prior to charging costs that are outside the allowable period of performance. Agency Response: OVR agrees with this finding. Questioned Costs: Known questioned costs of $8,763 were determined, which represents the amount of transactions incurred and charged to the federal grant outside the allowable period of performance.

Department of Labor and Industry Office of the Budget – Office of Comptroller Operations Finding 2023 – 019: ALN 84.126 – Rehabilitation Services – Vocational Rehabilitation Grants to States A Significant Deficiency and Noncompliance Exist Related to the Preparation and Submission of the Quarterly RSA-17 Report Federal Grant Number(s) and Year(s): H126A230056 (10/01/2022 – 9/30/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Office of Vocational Rehabilitation (OVR), Pennsylvania Department of Labor and Industry, is required to submit an RSA-17, Vocational Rehabilitation Financial Report, for the Rehabilitation Services – Vocational Rehabilitation Grants to States (RS-VR) program to the United States Department of Education (USDE) on a quarterly basis. The RSA-17 report includes data related to the federal share of expenditures to date, the federal share of unliquidated obligations, the federal program income earned, the program income expended and unexpended, indirect charges to the grant, as well as other general information that is necessary to ensure compliance with program requirements. During the fiscal year ended June 30, 2023, we selected all RSA-17 reports submitted for two of the four quarters and the final report submitted for the grant that closed during the audit period for testing. As part of the report testing, we obtained supporting general ledger documentation to determine if the agency appropriately reported the data in the Rehabilitation Services Administration (RSA) system where the RSA-17 reports are submitted. Our testing disclosed that the Business Enterprise Program expenditures reported on the June 30, 2023 filing for Federal Grant H126A230056 were not correctly input into the RSA system. The amount reported was $26,409,010, when actual expenditures were $264,090 based on supporting documentation. Although the RSA-17 report was subjected to a documented supervisory review and approval, the incorrect reported amount remained undetected by Commonwealth management until notification by the auditor. Criteria: 2 CFR Section 200.303(a), Internal controls, states: The non-Federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the committee of the Sponsoring Organizations of the Treadway Commission (COSO). 34 CFR Section 361.40, Reports; Evaluation standards and performance indicators, states: (a) Reports. (1) The vocational rehabilitation services portion of the Unified or Combined State Plan must assure that the designated State agency will submit reports, including reports required under sections 13, 14, and 101(a)(10) of the Act – (i) In the form and level of detail and at the time required by the Secretary regarding applicants for and eligible individuals receiving services, including students receiving pre-employment transition services in accordance with section 361.48(a); and Finding 2023 – 019: (continued) (ii) In a manner that provides a complete count (other than the information obtained through sampling consistent with section 101(a)(10)(E) of the Act) of the applicants and eligible individuals to – (A) Permit the greatest possible cross-classification of data; and (B) Protect the confidentiality of the identity of each individual. (2) The designated State agency must comply with any requirements necessary to ensure the accuracy and verification of those reports. Management Directive 325.12, Amended, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Bureau of Accounting and Financial Management personnel did not review the data input into the RSA system for errors prior to submission of the report. OVR did not have adequate procedures in place to ensure accurate report submissions as prepared by Bureau of Accounting and Financial Management. Effect: Since the report preparation and the supervisory review and approval process were not adequate, the Business Enterprise Program expenditures were incorrectly reported on the RSA-17 report submitted to USDE. OVR was not in compliance with federal regulations. Recommendation: OVR should ensure their written procedures for the review, approval, and submission of the RSA-17 reports are improved and fully implemented. The procedures should have sufficient detail to ensure the RSA-17 reports are prepared accurately and in accordance with federal regulations. In addition, OVR should correct the error and submit a revised RSA-17 report to USDE. OVR Response: OVR agrees with this finding. OCO Response: OCO agrees with this finding. Questioned Costs: None

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Aging Finding 2023 – 002: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging’s Maintenance of Effort Certification Reporting Process Federal Grant Number(s) and Year(s): 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Matching, Level of Effort, Earmarking and Reporting Condition: The Pennsylvania Department of Aging (PDOA) is required to spend at least the average amount of state funds for aging services and administration that it reported as spent under the state plan for these activities for the three previous fiscal years. The amount of state funds expended is subsequently required to be reported to the United States Department of Health and Human Services (HHS) on the Certification of Maintenance of Effort (MOE). Our testing confirmed that PDOA met the state spending requirement for the federal fiscal year (FFY) ended September 30, 2022, for Title III, Parts B and C applicable to the Aging Cluster. However, PDOA did not file the MOE Certification for the FFY ended September 30, 2022, as required. The certification includes other Title III Parts applicable to other, non-Aging Cluster, federal programs. Criteria: 45 CFR Section 1321.49, State agency maintenance of effort, states: In order to avoid a penalty, each fiscal year the State agency, to meet the required non-federal share applicable to its allotments under this part, shall spend under the State plan for both services and administration at least the average amount of State funds it spent under the plan for the three previous fiscal years. If the State agency spends less than this amount, the Commissioner reduces the State’s allotments for supportive and nutrition services under this part by a percentage equal to the percentage by which the State reduced its expenditures. Per Administration for Community Living reporting instructions, the Certification of Maintenance of Effort (form OMB 0985-0009) is required to be submitted annually by the State agency. Commonwealth Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risk. Management should implement control activities through policies. Cause: PDOA officials indicated that the MOE Certification was not submitted to HHS due to staff turnover which resulted in an oversight of the reporting requirement. Effect: Since the PDOA did not submit the MOE Certification as required, PDOA is not in compliance with the Level of Effort reporting requirements. In addition, without the required MOE Certification, HHS has no documented assurance that PDOA met the state requirement for the FFY ended September 30, 2022. Finding 2023 – 002: (continued) Recommendation: We recommend that PDOA implement procedures to ensure the MOE Certification is submitted to HHS at the end of each FFY as required. Agency Response: PDOA agrees with this finding. Questioned Costs: None

Department of Aging Finding 2023 –¬ 003: ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Department of Aging Related to Subrecipient Monitoring Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Within the Aging Cluster, the Pennsylvania Department of Aging (PDOA) contracts with 52 Area Agency on Aging subrecipients to provide various services that include cares support, preventive health, and nutrition services, among others. Our audit testing disclosed that PDOA did not perform subrecipient monitoring on any of the subrecipients during the fiscal year ended June 30, 2023. The Aging Cluster subrecipients received $81.0 million out of Aging Cluster Program expenditures totaling $81.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). Criteria: 45 CFR Section 1321.11 State agencies policies, states in part: (a) The State agency on aging shall develop policies governing all aspects of programs operated under this part… The State agency is responsible for enforcement of these policies. (b) The policies developed by the State agency shall address the manner in which the State agency will monitor the performance of all programs and activities initiated under this part for quality and effectiveness. 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 ¬– 003: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: While PDOA has subrecipient monitoring procedures in place, PDOA officials indicated that these procedures were not performed for Aging Cluster subrecipients due to staffing shortages. Effect: Without proper subrecipient monitoring, PDOA cannot ensure compliance with grant requirements and federal regulations, including allowable costs and other requirements. Recommendation: PDOA should perform risk based during-the-award monitoring procedures for all Aging Cluster subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Agency Response: PDOA agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 –¬ 016: ALN 93.775, 93.777, and 93.778 – Medicaid Cluster (including COVID-19) A Significant Deficiency and Noncompliance Exist at the Department of Human Services Related to the Medicaid National Correct Coding Initiative (A Similar Condition Was Noted in Prior Year Finding 2022-009) Federal Grant Number(s) and Year(s): 2205PA5MAP (10/01/2022 – 9/30/2023), 2205PA5ADM (10/01/2022 – 9/30/2023), 2105PA5MAP (10/01/2021 – 9/30/2022), 2105PA5ADM (10/01/2021 – 9/30/2022) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Special Tests and Provisions related to the Medicaid National Correct Coding Initiative (NCCI) Condition: The Pennsylvania Department of Human Services (DHS) is required by the United States Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), to implement six required Medicaid NCCI methodologies. These methodologies include procedure-to-procedure and medically unlikely edits of Medicaid fee-for-service claims submitted for processing through DHS’s PROMISe system to ensure that only proper payments of Medicaid procedures are reimbursed. As part of this process, DHS is required to download quarterly NCCI edit tables from CMS which are subsequently uploaded into PROMISe by DHS’s PROMISe vendor. During the fiscal year ended June 30, 2023, DHS did not ensure that its contract and amendments with the PROMISe vendor included one of the seven elements of the NCCI Confidentiality Agreement required by the HHS/CMS Medicaid NCCI Technical Guidance Manual. The one element missing was: • Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. Criteria: Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to significant changes that could impact the internal control system. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.2, Sharing of State Medicaid NCCI Edit Files by States with Other Entities, states in part: A state Medicaid agency may share these quarterly state Medicaid NCCI edit files which are posted on the secure RISSNET [Regional Information Sharing System Network] portal with the contracted fiscal agent that processes its FFS [fee-for-service] claims or with any of its contracted Medicaid managed-care entities that is using the Medicaid NCCI methodologies in its processing of claims or encounter data, if appropriate confidentiality agreements are in place. The HHS/CMS Medicaid NCCI Technical Guidance Manual, Section 7.1.3, Confidentiality Agreements Requirements for Contracted Parties, states: At a minimum, the following elements must be included in the confidentiality agreements for any contracted party using the Medicaid NCCI files posted on the secure RISSNET portal: Disclosure shall be limited to only those responsible for the implementation of the quarterly state Medicaid NCCI edit files. Finding 2023 –¬ 016: (continued) After the start of the new calendar quarter, a contracted party may disclose only non-confidential information contained in the Medicaid NCCI edit files that is also available to the general public found on the NCCI Medicaid webpage. The contracted party agrees to use any non-public information from the quarterly state Medicaid NCCI edit files only for any business purposes directly related to the implementation of the Medicaid NCCI methodologies in the particular state. New, revised, or deleted Medicaid NCCI edits shall not be published or otherwise shared with individuals, medical societies, or any other entities unless it is a contracted party prior to the posting of the Medicaid NCCI edits on the NCCI Medicaid webpage. Implementation of new, revised, or deleted Medicaid NCCI edits shall not occur prior to the first day of the calendar quarter. Only a state Medicaid agency has the discretion to release additional information for selected individual edits or limited ranges of edits from the files posted on the secure RISSNET portal. State Medicaid agencies must impose penalties, up to and including loss of contract, for violations of any confidentiality agreement relating to use of the secure RISSNET portal edit files. Cause: In amendments in 2022 and 2023, DHS personnel added six of the seven confidentiality agreement elements required by the HHS/CMS Medicaid NCCI Technical Guidance Manual to the PROMISe vendor contract amendment but did not add the remaining one element in the 2023 amendment. DHS believed the 2023 amendment along with the existing contract included all of the missing elements. Effect: Since DHS did not ensure one of the seven elements of the required NCCI confidentiality agreement was included in its contract with the PROMISe vendor, DHS was not in compliance with federal regulations. Recommendation: DHS should ensure the one missing element of the required NCCI confidentiality agreement is included in an amendment to its contract with the PROMISe vendor. Agency Response: DHS agrees with this finding. Questioned Costs: None

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 – 024: ALN 10.553, 10.555, 10.556, 10.559, and 10.582 – Child Nutrition Cluster (including COVID-19) ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 10.557 – WIC Special Supplemental Nutrition Program for Women, Infants, and Children ALN 10.558 – Child and Adult Care Food Program ALN 84.010 – Title I Grants to Local Educational Agencies ALN 84.027 and 84.173¬ – Special Education Cluster (IDEA) (including COVID-19) ALN 84.367 – Supporting Effective Instruction State Grants ALN 84.425C – COVID-19 – Education Stabilization Fund - GEER Fund ALN 84.425D – COVID-19 – Education Stabilization Fund - ESSER Fund ALN 84.425R – COVID-19 – Education Stabilization Fund - CRRSA EANS ALN 84.425U – COVID-19 – Education Stabilization Fund - ARP ESSER ALN 84.425V – COVID-19 – Education Stabilization Fund - ARP EANS ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) A Material Weakness and Material Noncompliance Exist in the Commonwealth’s Subrecipient Audit Resolution Process (A Similar Condition Was Noted in Prior Year Finding 2022-014) Federal Grant Number(s) and Year(s): 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD 10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA365N8903 (1/01/2022 – 9/30/2023), 231PA365N8903 (10/01/2022 – 9/30/2024), 231PA305L1603 (10/01/2022 – 9/30/2023), 221PA305L1603 (10/01/2021 – 9/30/2022), 221PA825Y8005 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8105 (10/01/2022 – 9/30/2023), 201PA715W5003 (10/01/2019 – 9/30/2023), 211PA715W5003 (10/01/2020 – 9/30/2024), 221PA705W1003 (10/01/2021 – 9/30/2022), 221PA705W1006 (10/01/2021 – 9/30/2022), 221PA715W5003 (10/01/2021 – 9/30/2024), 231PA705W1003 (10/01/2022 – 9/30/2023), 231PA705W1006 (10/01/2022 – 9/30/2023), 231PA715W5003 (10/01/2022 – 9/30/2025), 221PA305N1099 (10/01/2021 – 9/30/2022), 231PA305N1099 (10/01/2022 – 9/30/2023), 221PA315N1050 (10/01/2021 – 9/30/2023), 231PA315N1050 (10/01/2022 – 9/30/2024), 221PA305N2020 (10/01/2021 – 9/30/2022), 231PA305N2020 (10/01/2022 – 9/30/2023), S010A190038 (7/01/2019 – 9/30/2022), S010A200038 (7/01/2020 – 9/30/2022), S010A210038 (7/01/2021 – 9/30/2022), S010A220038 (7/01/2022 – 9/30/2024), S367A150051 (7/01/2015 – 9/30/2017), S367A190051 (7/01/2019 – 9/30/2021), S367A200051 (7/01/2020 – 9/30/2022), S367A210051 (7/01/2021 – 9/30/2023), S367A220051 (7/01/2022 – 9 /30/2024), H027A200093 (7/01/2020 – 9/30/2022), H027A210093 (7/01/2021 – 9/30/2023), H027A220093 (7/01/2022 – 9/30/2024), H027X210093 (7/01/2021 – 9/30/2023), H173A200090 (7/01/2020 – 9/30/2022), H173A210090 (7/01/2021 – 9/30/2023), H173A220090 (7/01/2022 – 9/30/2024), H173X210090 (7/01/2021 – 9/30/2023), S425W210039 (4/23/2021 – 9/30/2024), S425U210028 (3/24/2021 – 9/30/2023), S425D210028 (1/05/2021 – 9/30/2023), S425C200013 (5/18/2020 – 4/01/2024), S425R210037 (3/13/2020 – 9/30/2023), S425V210037 (11/16/2021 – 9/30/2023), S425C210013 (3/13/2020 – 9/30/2023), S425D200028 (3/13/2020 – 9/30/2022), NU50CK000527 (8/01/2019 – 7/31/2024) Finding 2023 – 024: (continued) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Subrecipient Monitoring Condition: Under the Commonwealth of Pennsylvania's (Commonwealth) implementation of the Single Audit Act, review and resolution of subrecipient Single Audit reports is split into two stages. The Office of the Budget’s Bureau of Accounting and Financial Management (OB-BAFM) ensures the reports meet technical standards through a centralized desk review process. The various funding agencies in the Commonwealth are responsible for making a management decision on each finding within six months of the Federal Audit Clearinghouse’s (FAC) Management Decision Letter (MDL) start date for audits subject to Uniform Guidance and to ensure appropriate corrective action is taken by the subrecipient (except for Uniform Guidance audits under U.S. Department of Labor programs which are permitted 12 months for management decisions in accordance with 2 CFR Section 2900.21). Each Commonwealth agency is also responsible for reviewing financial information in each audit report to determine whether the audit included all pass-through funding provided by the agency in order to ensure pass-through funds were subject to audit. Most agencies meet this requirement by performing Schedule of Expenditures of Federal Awards (SEFA) reconciliations. The agency is also required to adjust Commonwealth records, if necessary. Our fiscal year ended June 30, 2023 audit of the Commonwealth’s process for review and resolution of subrecipient Single Audits included an evaluation of the Commonwealth’s fiscal year ended June 30, 2022 subrecipient audit universe for audits due for submission to the FAC during the fiscal year ended June 30, 2023. We also evaluated the Commonwealth’s review of 44 subrecipient audit reports with findings in major programs/clusters which were identified on the Commonwealth agencies’ tracking lists during the fiscal year ended June 30, 2023 and required management decisions by Commonwealth agencies. Our testing disclosed the following audit exceptions regarding the Commonwealth agencies’ review of subrecipient audit reports: • Pennsylvania Department of Aging (PDOA): Our testing disclosed that PDOA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 10.5 months after the FAC MDL start date for the one audit report with findings. • Department of Agriculture (PDA): Our testing disclosed that PDA did not have procedures in place to track audit reports including having an audit tracking list. The time period for making a management decision on findings was approximately 12 months to over 18 months after the FAC MDL start date for three out of three audit reports with findings. There was also a delay in PDA’s procedures to ensure the subrecipient SEFAs were accurate so that major programs were properly determined and subjected to audit. Our testing disclosed one audit report submitted to the FAC over nine months late that included $19.4 million in subrecipient expenditures passed through PDA. In addition, our testing disclosed that PDA subgranted federal funds totaling approximately $4.8 million to five subrecipients during the fiscal year ended June 30, 2022, for which Single Audits were not submitted to the FAC as of our January 2024 testing date. This was over 16 or 10 months after the respective, September 30, 2022 or March 31, 2023 due dates. • Department of Education (PDE): The time period for making a management decision on findings was approximately 9.3 to over 16.9 months after the FAC MDL start date for 14 out of 22 audit reports with findings. One of the 14 audit reports was improperly classified on PDE’s audit tracking list as not having federal award findings. There were additional audit reports with findings listed on PDE’s audit tracking list where management decisions were not made timely. • Department of Health (DOH): The time period for making a management decision on findings was over 11 months after the FAC MDL start date for two out of two audit reports with findings. One audit report with the late management decision on findings was excluded from DOH’s tracking list. Finding 2023 – 024: (continued) Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward, and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and written confirmation from the subrecipient, highlighting the status of actions planned or taken to address Single Audit findings related to the particular subaward. (3) Issuing a management decision for applicable audit findings pertaining only to the Federal award provided to the subrecipient from the pass-through entity as required by §200.521 [Management decision]. (f) Verify that every subrecipient is audited as required by Subpart F [Audit Requirements] of this part when it is expected that the subrecipient’s Federal awards expended during the respective fiscal year equaled or exceeded the threshold set forth in §200.501 [Audit requirements]. (g) Consider whether the results of the subrecipient’s audit, on-site review, or other monitoring indicate conditions that necessitate adjustments to the pass-through entity’s own records. (h) Consider taking enforcement action against noncompliant subrecipients as described in §200.339 [Remedies for noncompliance] of this part and in program regulations. In order to carry out these responsibilities properly, good internal control dictates that state pass-through agencies ensure subrecipient Single Audit SEFAs are representative of state payment records each year, and that the related federal programs have been properly subjected to Single Audit procedures. 2 CFR Section 200.512, Report submission, states in part: (a) General. (1) The audit must be completed and the data collection form described in paragraph (b) of this section and reporting package described in paragraph (c) of this section must be submitted within the earlier of 30 calendar days after receipt of the auditor’s report(s), or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or Federal holiday, the reporting package is due the next business day. 2 CFR Section 200.521, Management decision, states in part: (a) General. The management decision must clearly state whether or not the finding is sustained, the reasons for the decision, and the expected auditee action to repay disallowed costs, make financial adjustments, or take other action. (d) Time requirements. The Federal awarding agency or pass-through entity responsible for issuing a management decision must do so within six months of acceptance of the audit report by the FAC. The auditee must initiate and proceed with corrective action as rapidly as possible and corrective action should begin no later than upon receipt of the audit report. 2 CFR Section 200.505, Sanctions, states: In cases of continued inability or unwillingness to have an audit conducted in accordance with this part, Federal agencies and pass-through entities must take appropriate action as provided in §200.339 [Remedies for noncompliance]. Finding 2023 – 024: (continued) 2 CFR Section 200.339, Remedies for noncompliance, states in part: If a non-Federal entity fails to comply with the U.S. Constitution, Federal statutes, regulations or the terms and conditions of a Federal award, the Federal awarding agency or pass-through entity may impose additional conditions, as described in §200.208 [Specific conditions]. If the Federal awarding agency or pass-through entity determines that noncompliance cannot be remedied by imposing additional conditions, the federal awarding agency or pass-through entity may take one or more of the following actions, as appropriate in the circumstances. (a) Temporarily withhold cash payments pending correction of the deficiency by the non-Federal entity or more severe enforcement action by the Federal awarding agency or pass-through entity. (b) Disallow (that is, deny both use of funds and any applicable matching credit for) all or part of the cost of the activity or action not in compliance. (c) Wholly or partly suspend or terminate the Federal award. (d) Initiate suspension or debarment proceedings as authorized under 2 CFR Part 180 and Federal awarding agency regulations (or in the case of a pass-through entity, recommend such a proceeding be initiated by a Federal awarding agency). (e) Withhold further Federal awards for the project or program. (f) Take other remedies that may be legally available. To ensure Commonwealth enforcement of federal regulations for subrecipient noncompliance with audit requirements, Commonwealth Management Directive 325.08, Amended – Remedies for Recipient Noncompliance with Audit Requirements, Section 5 related to policy, states in part: (a) Agencies must develop and implement remedial action that reflects the unique requirements of each program… (b) The remedial action should be implemented within six months from the date the first remedial action is initiated. At the end of the six-month period, the recipient should take the appropriate corrective action or the final stage of remedial action should be imposed on the recipient. Examples of remedial action include, but are not limited to: (1) Meeting or calling the recipient to explain the importance and benefits of the audit and audit resolution processes, emphasizing the value of the audit as an administrative tool and the Commonwealth’s reliance on an acceptable audit and prompt resolution as evidence of the recipient’s ability to properly administer the program. (2) Encouraging the entity to establish an audit committee or designate an individual as the single point of contact to: (a) Communicate regarding the audit. (b) Arrange for and oversee the audit. (c) Direct and monitor audit resolution. (3) Providing technical assistance to the recipient in devising and implementing an appropriate plan to remedy the noncompliance. (4) Withholding a portion of assistance payments until the noncompliance is resolved. (5) Withholding or disallowing overhead costs until the noncompliance is resolved. (6) Suspending the assistance agreement until the noncompliance is resolved. Finding 2023 – 024: (continued) (7) Terminating the assistance agreement with the recipient and, if necessary, seeking alternative entities to administer the program. Management Directive 325.09, Amended – Processing Subrecipient Single Audits of Federal Pass-Through Funds, Section 7 related to procedures, states in part: c. Agencies. (2) Evaluate single audit report submissions received from BAFM to determine program purpose acceptability by verifying, at a minimum, that all agency-funded programs are properly included on the applicable financial schedules; that findings affecting the agency contain sufficient information to facilitate a management decision; and that the subrecipient has submitted an adequate corrective action plan. (5) Issue management decisions relative to audit findings and crosscutting findings assigned to the agency for resolution, as required by 2 CFR §200.521. If responsible for the resolution of crosscutting findings, notify the affected agency or agencies upon resolution of such findings. (7) Impose or coordinate the imposition of remedial action in accordance with 2 CFR Part 200.339 and Management Directive 325.08 Amended, Remedies for Recipient Noncompliance with Audit Requirements, when subrecipients fail to comply with the provisions of Subpart F. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: One reason provided by Commonwealth management for untimely audit resolution in the various agencies, including making management decisions, approving corrective action, and performing procedures to ensure the accuracy of subrecipient SEFAs, was either a change in staff or a lack of staff to follow up and process subrecipient audit reports more timely. Regarding late and outstanding audit report submissions, the Commonwealth agencies did not appear to be timely implementing remedial action steps in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08 in order to ensure compliance with federal audit submission requirements. Effect: Since required management decisions were not made within six months to ensure appropriate corrective action was taken on audits received from subrecipients, the Commonwealth did not comply with federal regulations, and subrecipients were not made aware of acceptance or rejection of corrective action plans in a timely manner. Further, noncompliance may recur in future periods if control deficiencies are not corrected on a timely basis, and there is an increased risk of unallowable charges being made to federal programs if corrective action and recovery of questioned costs is not timely. Regarding the SEFA reviews or alternate procedures which are not being performed timely and the late Single Audit report submissions, there is an increased risk that subrecipients could be misspending and/or inappropriately tracking and reporting federal funds over multiple year periods, and these discrepancies may not be properly monitored, detected, and corrected by agency personnel on a timely basis as required. Finally, additional federal pass-through funds may be unaudited in the future without timely and effective remedial action from Commonwealth agencies to enforce compliance. Finding 2023 – 024: (continued) Recommendation: We recommend that the above weaknesses that cause untimely subrecipient Single Audit resolution, including untimely management decisions on findings, untimely review of the SEFA or alternate procedures, and late audit report submissions be corrected to ensure compliance with federal requirements and Commonwealth Management Directives, and to better ensure timelier subrecipient compliance with program requirements. Commonwealth agencies should promptly pursue outstanding audits and implement remedial action steps on a timely basis in accordance with 2 CFR Section 200.339 and Commonwealth Management Directive 325.08. DOH Response: DOH agrees with the finding. PDOA Response: PDOA agrees with the finding. PDA Response: PDA agrees with the finding and will be hiring a complement position to ensure compliance in the future. PDE Response: PDE agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 – 009: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist in the Review and Approval of Subrecipient Education Leading to Employment and Career Training Expenditure Reports by the Pennsylvania Department of Education Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Condition: The Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Education (PDE) have worked collaboratively to assist expectant and parenting youth through an initiative called Education Leading to Employment and Career Training (ELECT). ELECT works with expectant and parenting youth who qualify for assistance through Temporary Assistance for Needy Families (TANF), or are otherwise income-eligible, to support their continuation of or return to school to complete their secondary education. ELECT programs are operated by Local Education Agencies (LEA) that consist of school districts and Intermediate Units (IU). During the fiscal year ended June 30, 2023, PDE passed funding through to 27 LEAs for the operation of ELECT programs. TANF ELECT program payments made by PDE to its 27 subrecipients during the fiscal year ended June 30, 2023 were $14.1 million, or 3.1 percent of total TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. As part of our testing of subrecipient expenditures, we selected three subrecipient expenditure reports to test PDE’s procedures for processing subgrantee requests for reimbursement. Our testing found that for one of the three ELECT Expenditure Reports selected for testing, the expenditure report was not certified by an authorized subgrantee official. Criteria: 2 CFR Section 200.415, Required certifications, states: Required certifications include: (a) To assure that expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets, the annual and final fiscal reports or vouchers requesting payment under the agreements must include a certification, signed by an official who is authorized to legally bind the non-Federal entity, which reads as follows: “By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812).” Finding 2023 – 009: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR Section 75.352, applicable to TANF states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. PDE’s Education Leading to Employment and Career Training (ELECT) Operational Guidelines states in part: Authorized Signature: An authorized signature is required on expenditure reports for grants with federal funds. The authorized signatory is taking responsibility for the federal funds; make sure that someone of authority is signing the report. It will not be processed without the signature. Cause: Although PDE requires subrecipients to utilize an ELECT Expenditure Report template that includes a box for an authorized subgrantee signatory to sign which states: By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812). PDE’s review did not detect that the expenditure report was not certified by an authorized subgrantee official. PDE did not follow their written operational guidelines which state that PDE should ensure that someone of authority is signing the report and that the expenditure report will not be processed without the signature. PDE management indicated that they monitor subrecipients and request backup documentation for expenditures listed in the requests for reimbursement; however, without subrecipient certifications only limited assurance of the allowability of the activities and costs for which the subrecipient was requesting reimbursement can be obtained. Finding 2023 – 009: (continued) Effect: Without appropriate certifications, PDE cannot be assured that subrecipient expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets. Further, the subrecipient noted in the condition above may have received unallowable cost reimbursements from the TANF program. PDE is not in compliance with federal regulations relating to required certifications, and a significant deficiency exists. If not corrected, the processing of expenditure reports without certifications could result in the reimbursement of unallowable costs and result in future grant awards being reduced. Recommendation: PDE should strengthen its procedures and controls to ensure that required certifications are obtained prior to passing funding through to subrecipients. Further, PDE should request that subgrantees resubmit any expenditure reports from which the required certifications were missing. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 013: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist Over the Preparation and Submission of the ACF-204 and ACF-196P Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to file the ACF-204, Annual Report including the Annual Report on State Maintenance-of-Effort Programs (ACF-204 Report) each federal fiscal year with the United States Department of Health and Human Services, Administration for Children and Families (ACF). The ACF-204 Report contains information on the Temporary Assistance for Needy Families (TANF) program and the State's Maintenance-of-Effort (MOE) programs for that year. DHS is also required to file the ACF-196R, State TANF Financial Report (ACF-196R Report) quarterly with ACF, 45 days after each quarter of the fiscal year. The quarterly ACF-196R Reports reflect expenditures cumulative through that quarter for the federal fiscal year for each open grant award and includes MOE expenditures. The sum of the MOE expenditure amounts claimed on the annual ACF-204 Report should equal the total MOE expenditure amounts claimed on the state’s 4th quarter ACF-196R Report. However, when we reviewed the ACF-204 Report and the 196R-Report filed for September 30, 2022 the reported MOE expenditures did not agree. We determined the ACF-204 Report was inaccurate because edits were made to the ACF-196R Report after submission to ACF and the edits were not updated on the ACF-204 Report. The ACF-204 Report is prepared by DHS program personnel and the ACF-196R Report is prepared by the Office of Comptroller’s Operations (OCO). The ACF-196R Report originally submitted in November 2022 had been revised and resubmitted in March 2023. We noted the following differences between the total state MOE expenditure amounts reported on the two reports: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE The MOE expenditure amounts reported on the original ACF-204 Report were overstated by a total of $3,980,250. Although the ACF-196R Report had been revised in March 2023, there was no subsequent revision to the ACF-204 Report to correct the MOE line items. After our 2023 audit inquiry, DHS program personnel subsequently revised and resubmitted the report to ACF in September 2023 with the correct MOE expenditure amounts. Finding 2023 –¬ 013: (continued) In addition, our procedures disclosed that the ACF-196P Report (TANF Pandemic Emergency Assistance Fund Report) was submitted late. The ACF-196P Report was due December 29, 2022, but was not submitted until January 6, 2023. Criteria: 45 CFR Section 265.9 (a) states: Each State must file an annual report containing information on the TANF program and the State’s MOE programs for that year. TANF-ACF-PI-2001-06, Clarification on Completing the Annual Reports on TANF Programs (Attachment A) and State Maintenance-of-Effort (MOE) Programs (Form ACF-204) (Attachment B) issued by ACF, recommends that State program and fiscal staff coordinate their efforts to complete the ACF-204 information. The sum of the MOE amounts claimed in this report should equal the total MOE amounts claimed under all programs on the State's 4th quarter financial reporting form ACF-196 Report. Management Directive 325.12, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risks. Management should externally communicate the necessary quality information to achieve the entity’s objectives. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Pursuant to section 403(c) of the Social Security Act, states must use the ACF-196P form to report TANF PEAF (Pandemic Emergency Assistance Fund) expenditure data. TANF-ACF-PI-2021-08, Program Instructions for the Completion of the TANF Financial Form ACF-196P for the Pandemic Emergency Assistance Fund, states that each grantee must submit completed ACF-196P forms to ACF within 90 days of the end of each federal fiscal year, that is, the quarter ending (QE) September 30. Reports for the PEAF awards for QE September 30, 2022 were due December 29, 2022. Cause: The ACF-204 Report overstatement was discovered as a result of auditor inquiry. Although OCO personnel communicated that a revised ACF196R Report was filed, program personnel did not recognize the need to revise the ACF-204 Report. Regarding the untimely filing of the ACF-196P Report, DHS asked OCO to request an extension as DHS was waiting for guidance from ACF to finalize accounting and close out the grant. The grant must be closed before OCO can prepare and file the final report. However, ACF did not grant the extension. Effect: Inaccuracies on the ACF-204 Report, could lead to the federal government’s inability to determine if the Commonwealth met its MOE requirements for the fiscal year. Furthermore, inaccurate reporting on the ACF-204 Report and untimely reporting of the ACF-196P Report could subject the Commonwealth to penalties. Recommendation: We recommend that program personnel coordinate with OCO personnel to ensure the MOE amounts reported in the ACF-204 Report are correct and equal the form ACF-196R amounts, the ACF-196P is submitted timely, and that federal reports are in compliance with federal requirements. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 ¬– 014: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2022-008) Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2023, the Department of Human Services (DHS) paid $82.4 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 18.1 percent) out of total federal TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. Our testing of DHS’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2023 disclosed that DHS performed on-site monitoring for 13 out of 14 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients’ TANF activities were documented and accurately entered in the Commonwealth’s Workforce Development System. However, DHS’s monitoring procedures for the 13 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient’s compliance with applicable federal regulations. Although DHS’s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS’s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS’s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients’ procedures to monitor Single Audits and any related findings. Our testing of the 14 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2023. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $1 million of TANF funds during the fiscal year ended June 30, 2023. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2023 –¬ 014: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services]. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS provided new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2023. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients’ monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they worked to obtain the necessary documentation to complete the on-site monitoring. However, the subrecipient had not cooperated. The grant agreement with the subrecipient expired on December 31, 2023 and the subrecipient has stopped all contact with DHS. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 021: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist Over the Preparation and Submission of the Quarterly ACF-196R Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to submit the ACF-196R, State TANF Financial Report (ACF-196R Report), on a quarterly basis, for each grant year, to the United States Department of Health and Human Services (HHS) Administration for Children and Families (ACF). The ACF-196R Report includes data related to the cumulative transfers, expenditures, and unliquidated obligations through the end of the federal fiscal year. A state must submit a quarterly ACF-196R Report for each open grant year award. During the fiscal year ended June 30, 2023, we selected 10 out of 20 quarterly ACF-196R Reports for testing. The ACF-196R Reports submitted for the quarters ended September 30, 2022 and June 30, 2023 for grant award years 2020 and 2023, respectively, included federal unliquidated obligation amounts reported on Part 1 Expenditure Data, Line 27, which did not agree to the Commonwealth’s general ledger (SAP) as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE We also analytically compared expenditures incurred during the fiscal year ended June 30, 2023 per the ACF-196R Reports to total Temporary Assistance for Needy Families (TANF) expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA) noting a difference of $53,256,607. We requested that management provide a listing of reconciling items between the ACF-196R Reports and the SEFA which resulted in the identification of an understatement of aggregate expenditures reported in the ACF-196R Reports for the report quarter ending June 30, 2023 of $45,603,714. Although the ACF-196R Reports were subjected to a documented supervisory review and approval, the existence of the misstated federal unliquidated obligation and expenditure amounts indicates that the preparation and the supervisory review and approval processes were not adequate, and a material weakness exists over the preparation and submission of the ACF-196R Report. Finding 2023 – ¬021: (continued) Criteria: 45 CFR Section 75.302, Financial management and standards for financial management system, states: (b) The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §75.341 and §75.342. 45 CFR Section 265.3, What reports must the State file on a quarterly basis?, states: (a) Quarterly reports. (1) Each State must collect on a monthly basis, and file on a quarterly basis, the data specified in the TANF Data Report and the TANF Financial Report (c) The TANF Financial Report. (1) Each State must file quarterly expenditure data on the State’s use of Federal TANF funds, State TANF expenditures, and State expenditures of MOE funds in separate State programs. (2) If a State is expending Federal TANF funds received in prior fiscal years, it must file a separate quarterly TANF Financial Report for each fiscal year that provides information on the expenditures of that year’s TANF funds. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (b) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Further, adequate internal controls over report preparation would include detailed written report preparation procedures, a segregation of duties between the preparation and the review and approval of the report, and an adequate review and approval process which would detect errors in the report preparation and ensure that such errors are corrected. Finding 2023 –¬ 021: (continued) Cause: The Commonwealth’s Office of Comptroller Operations (OCO) personnel indicated that three internal orders were set up with incorrect order group attribute codes. These errors resulted in expenditures of $45,603,714 being improperly excluded from the order group reports that were used during the compilation of the expenditure data reported in the ACF-196R Reports for the quarter ending June 30, 2023. The $9,306,287 overstatement and $231,623 understatement noted above were the result of formula errors within OCO’s workbooks used to compile the reports that were not identified prior to the submission of the corresponding reports. OCO personnel stated there is a supervisory review and approval process in place but staff turnover and additional grant responsibilities has created internal time constraints for reporting which inherently has increased the potential risk of errors not being identified during the supervisory review. Effect: Since the preparation and the supervisory review and approval processes were not adequate to ensure the accuracy of expenditures and federal unliquidated obligations, various ACF-196R Reports were misstated for the quarters ended June 30, 2023 and September 30, 2022. DHS is not in compliance with federal regulations, and a material weakness exists. If not corrected, inaccurate reporting could result in future grant awards being reduced. Recommendation: OCO should ensure that the preparation and supervisory review and approval processes for the ACF-196R Report are improved and include all required information including cumulative transfers, expenditures, and unliquidated obligations. OCO should ensure their written procedures for the preparation, review, approval, and submission of the ACF-196R Report are sufficiently detailed to ensure the ACF-196R Report is prepared accurately in accordance with federal regulations. Finally, OCO should ensure the misstated ACF-196R expenditure amounts are corrected and the revised information is submitted to ACF, in accordance with ACF guidelines. OCO Response: OCO agrees with this finding. Questioned Costs: None

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 022: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist in the Commonwealth’s FFATA Reporting Process (A Similar Condition Was Noted in Prior Year Finding 2022-012) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 – 9/30/2022), H79T1083297 (9/30/2020 – 9/29/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $112.9 million from thirteen major programs disclosed that two transactions totaling approximately $11.9 million, or 11 percent of transactions tested, were not reported to FSRS. Specifically, the two transactions for which the FFATA information was not reported occurred within two of the 13 programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2023 –¬ 022: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 022: (continued) Cause: Regarding the two transactions identified during our testing that were not reported in the FFATA database, OB-BAFM personnel indicated the awards were overlooked during the FFATA review. As a result of our inquiry, OB-BAFM Personnel indicated that these awards were subsequently uploaded to the FFATA database and FSRS as required. Effect: Since the subaward information for two transactions tested were not included in the FFATA database, the required subaward information was not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements in FSRS may recur in future periods if control deficiencies are not corrected to ensure completeness of the FFATA database. Recommendation: We recommend that OB-BAFM follow their established procedures to ensure all subrecipient contract information is included in the FFATA database to ensure that FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Education Finding 2023 – 009: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist in the Review and Approval of Subrecipient Education Leading to Employment and Career Training Expenditure Reports by the Pennsylvania Department of Education Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Activities Allowed or Unallowed, Allowable Costs/Cost Principles Condition: The Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Education (PDE) have worked collaboratively to assist expectant and parenting youth through an initiative called Education Leading to Employment and Career Training (ELECT). ELECT works with expectant and parenting youth who qualify for assistance through Temporary Assistance for Needy Families (TANF), or are otherwise income-eligible, to support their continuation of or return to school to complete their secondary education. ELECT programs are operated by Local Education Agencies (LEA) that consist of school districts and Intermediate Units (IU). During the fiscal year ended June 30, 2023, PDE passed funding through to 27 LEAs for the operation of ELECT programs. TANF ELECT program payments made by PDE to its 27 subrecipients during the fiscal year ended June 30, 2023 were $14.1 million, or 3.1 percent of total TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. As part of our testing of subrecipient expenditures, we selected three subrecipient expenditure reports to test PDE’s procedures for processing subgrantee requests for reimbursement. Our testing found that for one of the three ELECT Expenditure Reports selected for testing, the expenditure report was not certified by an authorized subgrantee official. Criteria: 2 CFR Section 200.415, Required certifications, states: Required certifications include: (a) To assure that expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets, the annual and final fiscal reports or vouchers requesting payment under the agreements must include a certification, signed by an official who is authorized to legally bind the non-Federal entity, which reads as follows: “By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812).” Finding 2023 – 009: (continued) 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). 45 CFR Section 75.352, applicable to TANF states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. PDE’s Education Leading to Employment and Career Training (ELECT) Operational Guidelines states in part: Authorized Signature: An authorized signature is required on expenditure reports for grants with federal funds. The authorized signatory is taking responsibility for the federal funds; make sure that someone of authority is signing the report. It will not be processed without the signature. Cause: Although PDE requires subrecipients to utilize an ELECT Expenditure Report template that includes a box for an authorized subgrantee signatory to sign which states: By signing this report, I certify to the best of my knowledge and belief that the report is true, complete, and accurate, and the expenditures, disbursements and cash receipts are for the purposes and objectives set forth in the terms and conditions of the Federal award. I am aware that any false, fictitious, or fraudulent information, or the omission of any material fact, may subject me to criminal, civil or administrative penalties for fraud, false statements, false claims or otherwise. (U.S. Code Title 18, Section 1001 and Title 31, Sections 3729-3730 and 3801-3812). PDE’s review did not detect that the expenditure report was not certified by an authorized subgrantee official. PDE did not follow their written operational guidelines which state that PDE should ensure that someone of authority is signing the report and that the expenditure report will not be processed without the signature. PDE management indicated that they monitor subrecipients and request backup documentation for expenditures listed in the requests for reimbursement; however, without subrecipient certifications only limited assurance of the allowability of the activities and costs for which the subrecipient was requesting reimbursement can be obtained. Finding 2023 – 009: (continued) Effect: Without appropriate certifications, PDE cannot be assured that subrecipient expenditures are proper and in accordance with the terms and conditions of the Federal award and approved project budgets. Further, the subrecipient noted in the condition above may have received unallowable cost reimbursements from the TANF program. PDE is not in compliance with federal regulations relating to required certifications, and a significant deficiency exists. If not corrected, the processing of expenditure reports without certifications could result in the reimbursement of unallowable costs and result in future grant awards being reduced. Recommendation: PDE should strengthen its procedures and controls to ensure that required certifications are obtained prior to passing funding through to subrecipients. Further, PDE should request that subgrantees resubmit any expenditure reports from which the required certifications were missing. Agency Response: PDE agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 – 012: ALN 10.551 and 10.561 – Supplemental Nutrition Assistance Program (SNAP) Cluster (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist at the Department of Human Services Related to Electronic Benefits Transfer Card Security (A Similar Condition Was Noted in Prior Year Finding 2022-006) Federal Grant Number(s) and Year(s): 221PA405S2514 (10/01/2021 – 9/30/2022), 231PA405S2514 (10/01/2022 – 9/30/2023), 1701PATANF (10/01/2016 – 9/30/2017), 2101PATANF (10/01/2020 – 9/30/2021), 2101PATANFC6 (10/01/2020 – 9/30/2022), 2201PATANF (10/01/2021 – 9/30/2022), 2301PATANF (10/01/2022 – 9/30/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Special Tests and Provisions related to EBT Card Security Condition: During our audit of the Supplemental Nutrition Assistance Program (SNAP) administered by the Department of Human Services (DHS), we evaluated the security over Electronic Benefits Transfer (EBT) cards, which includes both the physical security of EBT cards during the issuance process at County Assistance Offices (CAO), as well as the handling of EBT cards returned from the United States Postal Service as undeliverable, or those that have been lost or stolen. EBT cards are the method by which SNAP benefit payments are made available to recipients. Also, EBT cards are the primary method by which cash and special allowance benefit payments are made available to Temporary Assistance for Needy Families (TANF) recipients. Total benefit expenditures for SNAP for the fiscal year ended June 30, 2023 totaled $5.5 billion. Total benefit expenditures for TANF for the fiscal year ended June 30, 2023 totaled $116.8 million. Fourteen of the 87 CAO and district locations that issued EBT cards were selected for site testing in the current audit period. During our testing of the physical security over EBT cards, we noted exceptions at ten CAO and district locations selected for testing. These exceptions included the following: 1) The master list of cardmakers and pinners maintained by the EBT Project Office did not reconcile to the list provided by a CAO (1 location); 2) The Roles/Permissions Report from the EBT Card Tracking Database provided by the EBT Project Office and CAO/district offices did not reconcile (1 district office and 5 CAO locations); 3) EBT cards were created outside of the hours of operations (1 district office and 1 CAO location); 4) Failure to perform the following: • Completion of the witness fields on a Ribbon Log (1 CAO location); • Create adequate written internal procedures for EBT Security for over-the-counter card mailings (1 district office); • Ensure that coverage for card pinning is available until 5:00 PM each business day (2 locations); • Enter EBT cards into the EBT Card Tracking Database at the same time that the card Primary Account Number (PAN) is created in the Electronic Payment Processing and Information Control (EPPIC) system (1 CAO location); • Maintain adequate security of EBT cards (1 district office); • Maintain adequate security of pinning device (1 district office); • Maintain adequate security of EBT card printing device (1 district office); Finding 2023 – 012: (continued) • Maintain operational efficiency due to only having one PIN Select Device (1 CAO location); • Maintain Form HS 764 in the case record after the EBT card is created (1 CAO location); • Maintain an EPPIC EBT Systems Application form (1 CAO location); • Proper completion of the EPPIC EBT Systems Application form; the form requested the user be granted an EPPIC Admin role (inquiry-only access) as well as a PIN Select User role (1 CAO location); • Timely enter a shipment received into the EBT Card Tracking Database (1 CAO location); and • Timely completion and submission of the EPPIC EBT Systems Application forms to the Office of Income Maintenance (OIM) EBT Security (1 district office and 3 CAO locations). Forty of the 261 business days in the current audit period were selected to test the handling and destruction of returned EBT cards. During our testing of the handling and destruction of returned EBT cards, we noted exceptions on one of the 40 business days selected for testing. These exceptions included the following: 1) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Approved by the Project Officer" column of the EBT Headquarters Card Destruction Log was signed and dated by the supervisor one day after the “Cards Destroyed by” column was signed and dated by the clerk. The cards were destroyed prior to the review/approval by the supervisor. 2) Failure to properly complete the EBT Headquarters Card Destruction Log. The "Number of Cards Received by the Project Officer” column of the EBT Headquarters Card Destruction Log was not completed by the supervisor. Criteria: The 2023 OMB Uniform Guidance Compliance Supplement, Part 4 – Agency Program Requirements for the SNAP Cluster, Special Tests and Provisions – N.3 EBT Card Security, states: The state is required to maintain adequate security over, and documentation/records for, EBT cards to prevent their theft, embezzlement, loss, damage, destruction, unauthorized transfer, negotiation, or use (7 CFR Section 274.8(b)(3)). 7 CFR Section 274.5, Record retention and forms security, states: (c) Accountable Documents. (1) EBT cards shall be considered accountable documents. The State agency shall provide the following minimum security and control procedures for these documents: i. Secure storage; ii. Access limited to authorized personnel; iii. Bulk inventory control records; iv. Subsequent control records maintained through the point of issuance or use; and v. Periodic review and validation of inventory controls and records by parties not otherwise involved in maintaining control records. 45 CFR Section 75.302 applicable to TANF states: (b) The financial management system of each non-Federal entity must provide for the following (see also §75.361, 75.362, 75.363, 75.364, and 75.365): (4) Effective control over, and accountability for, all funds, property, and other assets. The non-Federal entity must adequately safeguard all assets and assure that they are used solely for authorized purposes. See §75.303. Finding 2023 – 012: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: Established policies and procedures were not followed consistently across CAO and district locations, which resulted in ineffective internal controls over EBT card security. Effect: Without adequate security controls over EBT cards, there exists the possibility of misappropriation and/or abuse. Recommendation: We recommend that DHS monitor EBT card security at CAO and district locations on a regular basis to improve consistency in the execution of documented policies and procedures. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 013: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Significant Deficiency and Noncompliance Exist Over the Preparation and Submission of the ACF-204 and ACF-196P Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to file the ACF-204, Annual Report including the Annual Report on State Maintenance-of-Effort Programs (ACF-204 Report) each federal fiscal year with the United States Department of Health and Human Services, Administration for Children and Families (ACF). The ACF-204 Report contains information on the Temporary Assistance for Needy Families (TANF) program and the State's Maintenance-of-Effort (MOE) programs for that year. DHS is also required to file the ACF-196R, State TANF Financial Report (ACF-196R Report) quarterly with ACF, 45 days after each quarter of the fiscal year. The quarterly ACF-196R Reports reflect expenditures cumulative through that quarter for the federal fiscal year for each open grant award and includes MOE expenditures. The sum of the MOE expenditure amounts claimed on the annual ACF-204 Report should equal the total MOE expenditure amounts claimed on the state’s 4th quarter ACF-196R Report. However, when we reviewed the ACF-204 Report and the 196R-Report filed for September 30, 2022 the reported MOE expenditures did not agree. We determined the ACF-204 Report was inaccurate because edits were made to the ACF-196R Report after submission to ACF and the edits were not updated on the ACF-204 Report. The ACF-204 Report is prepared by DHS program personnel and the ACF-196R Report is prepared by the Office of Comptroller’s Operations (OCO). The ACF-196R Report originally submitted in November 2022 had been revised and resubmitted in March 2023. We noted the following differences between the total state MOE expenditure amounts reported on the two reports: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE The MOE expenditure amounts reported on the original ACF-204 Report were overstated by a total of $3,980,250. Although the ACF-196R Report had been revised in March 2023, there was no subsequent revision to the ACF-204 Report to correct the MOE line items. After our 2023 audit inquiry, DHS program personnel subsequently revised and resubmitted the report to ACF in September 2023 with the correct MOE expenditure amounts. Finding 2023 –¬ 013: (continued) In addition, our procedures disclosed that the ACF-196P Report (TANF Pandemic Emergency Assistance Fund Report) was submitted late. The ACF-196P Report was due December 29, 2022, but was not submitted until January 6, 2023. Criteria: 45 CFR Section 265.9 (a) states: Each State must file an annual report containing information on the TANF program and the State’s MOE programs for that year. TANF-ACF-PI-2001-06, Clarification on Completing the Annual Reports on TANF Programs (Attachment A) and State Maintenance-of-Effort (MOE) Programs (Form ACF-204) (Attachment B) issued by ACF, recommends that State program and fiscal staff coordinate their efforts to complete the ACF-204 information. The sum of the MOE amounts claimed in this report should equal the total MOE amounts claimed under all programs on the State's 4th quarter financial reporting form ACF-196 Report. Management Directive 325.12, Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should design control activities to achieve objectives and respond to risks. Management should externally communicate the necessary quality information to achieve the entity’s objectives. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Pursuant to section 403(c) of the Social Security Act, states must use the ACF-196P form to report TANF PEAF (Pandemic Emergency Assistance Fund) expenditure data. TANF-ACF-PI-2021-08, Program Instructions for the Completion of the TANF Financial Form ACF-196P for the Pandemic Emergency Assistance Fund, states that each grantee must submit completed ACF-196P forms to ACF within 90 days of the end of each federal fiscal year, that is, the quarter ending (QE) September 30. Reports for the PEAF awards for QE September 30, 2022 were due December 29, 2022. Cause: The ACF-204 Report overstatement was discovered as a result of auditor inquiry. Although OCO personnel communicated that a revised ACF196R Report was filed, program personnel did not recognize the need to revise the ACF-204 Report. Regarding the untimely filing of the ACF-196P Report, DHS asked OCO to request an extension as DHS was waiting for guidance from ACF to finalize accounting and close out the grant. The grant must be closed before OCO can prepare and file the final report. However, ACF did not grant the extension. Effect: Inaccuracies on the ACF-204 Report, could lead to the federal government’s inability to determine if the Commonwealth met its MOE requirements for the fiscal year. Furthermore, inaccurate reporting on the ACF-204 Report and untimely reporting of the ACF-196P Report could subject the Commonwealth to penalties. Recommendation: We recommend that program personnel coordinate with OCO personnel to ensure the MOE amounts reported in the ACF-204 Report are correct and equal the form ACF-196R amounts, the ACF-196P is submitted timely, and that federal reports are in compliance with federal requirements. Agency Response: DHS agrees with this finding. Questioned Costs: None

Department of Human Services Finding 2023 ¬– 014: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) Department of Human Services Did Not Validate Financial Information as Part of Its On-Site Monitoring of Temporary Assistance for Needy Families Subrecipients (A Similar Condition Was Noted in Prior Year Finding 2022-008) Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: During the fiscal year ended June 30, 2023, the Department of Human Services (DHS) paid $82.4 million in Temporary Assistance for Needy Families (TANF) funding to subrecipients within the New Directions, Cash Grants, and Alternatives to Abortion appropriations (or 18.1 percent) out of total federal TANF expenditures of $455.7 million reported on the June 30, 2023 Schedule of Expenditures of Federal Awards. Our testing of DHS’s during-the-award monitoring of subrecipients for the fiscal year ended June 30, 2023 disclosed that DHS performed on-site monitoring for 13 out of 14 subrecipients selected for testing. The on-site monitoring that was performed consisted of reviews of program operations including design, data entry accuracy and timeliness, case management analysis, and program payment performance goals. The on-site monitoring also included a review of a sample of TANF recipient case files to ensure that the recipients’ TANF activities were documented and accurately entered in the Commonwealth’s Workforce Development System. However, DHS’s monitoring procedures for the 13 subrecipients were not adequate as they did not include a review or monitoring of subrecipient financial records, which would provide an assessment of a subrecipient’s compliance with applicable federal regulations. Although DHS’s monitoring procedures include reviewing subrecipient completed questionnaires for selected subrecipients that had questions related to financial matters, DHS’s monitoring personnel did not review subrecipient financial records. For example, DHS did not perform procedures to ensure subrecipient invoices agreed to the books and records of the subrecipient and that the records were adequate to support the allowability of costs paid by DHS during the award period. In addition, DHS’s monitoring procedures did not include an evaluation of the operating effectiveness of DHS subrecipients’ procedures to monitor Single Audits and any related findings. Our testing of the 14 subrecipients noted above included follow up on one subrecipient identified in the prior year finding as not being on-site monitored by DHS when the risk assessment warranted on-site monitoring. Our follow-up during the current audit period disclosed that DHS did not conduct on-site monitoring for this subrecipient during the fiscal year ended June 30, 2023. Since the on-site monitoring was not completed, internal control weaknesses, noncompliance, and questioned costs may have existed and remained undetected during the current audit period. This subrecipient received $1 million of TANF funds during the fiscal year ended June 30, 2023. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: All pass-through entities must: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. Finding 2023 –¬ 014: (continued) (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity as required by § 75.521 [Management decision]. 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; (2) Performing on-site reviews of the subrecipient's program operations; and (3) Arranging for agreed-upon-procedures engagements as described in §200.425 [Audit services]. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS provided new during-the-award monitoring procedures to be used for the on-site monitoring of subrecipients, but these procedures were not in place for monitoring conducted during the fiscal year ended June 30, 2023. Therefore, DHS has not implemented adequate during-the-award monitoring procedures of subrecipients to include testing of the financial records and the subrecipients’ monitoring of Single Audits sufficient to ensure compliance with federal regulations. Regarding the one subrecipient for which on-site monitoring was not completed, DHS personnel stated that they worked to obtain the necessary documentation to complete the on-site monitoring. However, the subrecipient had not cooperated. The grant agreement with the subrecipient expired on December 31, 2023 and the subrecipient has stopped all contact with DHS. Effect: TANF subrecipients could be operating in noncompliance with federal regulations without timely detection and correction by DHS management. Recommendation: DHS should strengthen its controls to ensure during-the-award monitoring of TANF subrecipients includes procedures to ensure that subrecipients are in compliance with applicable federal regulations. This should include examining subrecipients’ financial records and ensuring that all required Single Audits were obtained by DHS subrecipients. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 021: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) A Material Weakness and Material Noncompliance Exist Over the Preparation and Submission of the Quarterly ACF-196R Reports Federal Grant Number(s) and Year(s): 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2101PATANF (10/01/2020 – 9/30/2021), 2001PATANF (10/01/2019 – 9/30/2020), 1901PATANF (10/01/2018 – 9/30/2019), 1801PATANF (10/01/2017 – 9/30/2018), 1701PATANF (10/01/2016 – 9/30/2017) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Reporting Condition: The Pennsylvania Department of Human Services (DHS) is required to submit the ACF-196R, State TANF Financial Report (ACF-196R Report), on a quarterly basis, for each grant year, to the United States Department of Health and Human Services (HHS) Administration for Children and Families (ACF). The ACF-196R Report includes data related to the cumulative transfers, expenditures, and unliquidated obligations through the end of the federal fiscal year. A state must submit a quarterly ACF-196R Report for each open grant year award. During the fiscal year ended June 30, 2023, we selected 10 out of 20 quarterly ACF-196R Reports for testing. The ACF-196R Reports submitted for the quarters ended September 30, 2022 and June 30, 2023 for grant award years 2020 and 2023, respectively, included federal unliquidated obligation amounts reported on Part 1 Expenditure Data, Line 27, which did not agree to the Commonwealth’s general ledger (SAP) as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE We also analytically compared expenditures incurred during the fiscal year ended June 30, 2023 per the ACF-196R Reports to total Temporary Assistance for Needy Families (TANF) expenditures reported on the Schedule of Expenditures of Federal Awards (SEFA) noting a difference of $53,256,607. We requested that management provide a listing of reconciling items between the ACF-196R Reports and the SEFA which resulted in the identification of an understatement of aggregate expenditures reported in the ACF-196R Reports for the report quarter ending June 30, 2023 of $45,603,714. Although the ACF-196R Reports were subjected to a documented supervisory review and approval, the existence of the misstated federal unliquidated obligation and expenditure amounts indicates that the preparation and the supervisory review and approval processes were not adequate, and a material weakness exists over the preparation and submission of the ACF-196R Report. Finding 2023 – ¬021: (continued) Criteria: 45 CFR Section 75.302, Financial management and standards for financial management system, states: (b) The financial management system of each non-Federal entity must provide for the following: (2) Accurate, current, and complete disclosure of the financial results of each Federal award or program in accordance with the reporting requirements set forth in §75.341 and §75.342. 45 CFR Section 265.3, What reports must the State file on a quarterly basis?, states: (a) Quarterly reports. (1) Each State must collect on a monthly basis, and file on a quarterly basis, the data specified in the TANF Data Report and the TANF Financial Report (c) The TANF Financial Report. (1) Each State must file quarterly expenditure data on the State’s use of Federal TANF funds, State TANF expenditures, and State expenditures of MOE funds in separate State programs. (2) If a State is expending Federal TANF funds received in prior fiscal years, it must file a separate quarterly TANF Financial Report for each fiscal year that provides information on the expenditures of that year’s TANF funds. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (b) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12 Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Further, adequate internal controls over report preparation would include detailed written report preparation procedures, a segregation of duties between the preparation and the review and approval of the report, and an adequate review and approval process which would detect errors in the report preparation and ensure that such errors are corrected. Finding 2023 –¬ 021: (continued) Cause: The Commonwealth’s Office of Comptroller Operations (OCO) personnel indicated that three internal orders were set up with incorrect order group attribute codes. These errors resulted in expenditures of $45,603,714 being improperly excluded from the order group reports that were used during the compilation of the expenditure data reported in the ACF-196R Reports for the quarter ending June 30, 2023. The $9,306,287 overstatement and $231,623 understatement noted above were the result of formula errors within OCO’s workbooks used to compile the reports that were not identified prior to the submission of the corresponding reports. OCO personnel stated there is a supervisory review and approval process in place but staff turnover and additional grant responsibilities has created internal time constraints for reporting which inherently has increased the potential risk of errors not being identified during the supervisory review. Effect: Since the preparation and the supervisory review and approval processes were not adequate to ensure the accuracy of expenditures and federal unliquidated obligations, various ACF-196R Reports were misstated for the quarters ended June 30, 2023 and September 30, 2022. DHS is not in compliance with federal regulations, and a material weakness exists. If not corrected, inaccurate reporting could result in future grant awards being reduced. Recommendation: OCO should ensure that the preparation and supervisory review and approval processes for the ACF-196R Report are improved and include all required information including cumulative transfers, expenditures, and unliquidated obligations. OCO should ensure their written procedures for the preparation, review, approval, and submission of the ACF-196R Report are sufficiently detailed to ensure the ACF-196R Report is prepared accurately in accordance with federal regulations. Finally, OCO should ensure the misstated ACF-196R expenditure amounts are corrected and the revised information is submitted to ACF, in accordance with ACF guidelines. OCO Response: OCO agrees with this finding. Questioned Costs: None

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 022: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist in the Commonwealth’s FFATA Reporting Process (A Similar Condition Was Noted in Prior Year Finding 2022-012) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 – 9/30/2022), H79T1083297 (9/30/2020 – 9/29/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $112.9 million from thirteen major programs disclosed that two transactions totaling approximately $11.9 million, or 11 percent of transactions tested, were not reported to FSRS. Specifically, the two transactions for which the FFATA information was not reported occurred within two of the 13 programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2023 –¬ 022: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 022: (continued) Cause: Regarding the two transactions identified during our testing that were not reported in the FFATA database, OB-BAFM personnel indicated the awards were overlooked during the FFATA review. As a result of our inquiry, OB-BAFM Personnel indicated that these awards were subsequently uploaded to the FFATA database and FSRS as required. Effect: Since the subaward information for two transactions tested were not included in the FFATA database, the required subaward information was not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements in FSRS may recur in future periods if control deficiencies are not corrected to ensure completeness of the FFATA database. Recommendation: We recommend that OB-BAFM follow their established procedures to ensure all subrecipient contract information is included in the FFATA database to ensure that FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Human Services Finding 2023 –¬ 015: ALN 93.667 – Social Services Block Grant A Material Weakness and Material Noncompliance Exist in the Department of Human Services’ Program Monitoring of the Social Services Block Grant Subrecipients Federal Grant Number(s) and Year(s): 2301PASOSR (10/01/2022 – 9/30/2024), 2201PASOSR (10/01/2021 – 9/30/2023), 2101PASOSR (10/01/2020 – 9/30/2022) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirements: Cash Management, Subrecipient Monitoring Condition: Our examination of the Department of Human Services’ (DHS) procedures for monitoring Social Services Block Grant (SSBG) subrecipients revealed that DHS did not adequately monitor the SSBG Mental Health, Homeless Services, Child Welfare, Domestic Violence, Rape Crisis, Legal Services, and Family Planning subrecipients to ensure that SSBG awards are used in compliance with laws and regulations, which include allowable costs, period of performance, and other requirements. The inadequately monitored subrecipients received $41.0 million (or approximately 44 percent) of total SSBG program expenditures of $92.7 million reported on the Schedule of Expenditures of Federal Awards (SEFA). While we did note that DHS adequately monitored six of the 55 Mental Health County/County Joinder subrecipients which included Mental Health, Homeless Services and Child Welfare services, this coverage is not adequate. In addition, our review of the risk assessments completed for all of the aforementioned subrecipients identified several instances where subrecipient monitoring was warranted but was not conducted. No monitoring was performed on the Domestic Violence, Rape Crisis, Legal Services and Family Planning subrecipients. In addition, for the compliance requirement related to cash management, we noted that DHS advanced funds to SSBG subrecipients in four of nine program areas, representing $34.0 million (or approximately 37 percent) of SSBG program expenditures, without adequately monitoring the reasonableness of the subrecipient cash balances. In particular, for the program areas related to Mental Health, Intellectual Disabilities, Homeless Services, and Child Welfare, DHS advanced funds to subrecipients on a quarterly basis. Our inquiries with applicable DHS program administrators disclosed that DHS did not adequately monitor the four program areas’ subrecipients for cash management compliance either at the time of payment or at any other time during the fiscal year ended June 30, 2023. Furthermore, while Single Audits of SSBG subrecipients may be conducted each year, this auditing activity does not compensate for the lack of during-the-award program monitoring, since the timing, focus, and scope of subrecipient auditing activities after year end are different than compliance monitoring to be performed by program officials during the year. Criteria: 45 CFR Section 75.352, Requirements for pass-through entities, states: (d) Monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved. Pass-through entity monitoring of the subrecipient must include: (1) Reviewing financial and performance reports required by the pass-through entity. (2) Following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means. (3) Issuing a management decision for audit findings pertaining to the Federal award provided to the subrecipient from the pass-through entity… Finding 2023 –¬ 015: (continued) (e) Depending upon the pass-through entity's assessment of risk posed by the subrecipient (as described in paragraph (b) of this section), the following monitoring tools may be useful for the pass-through entity to ensure proper accountability and compliance with program requirements and achievement of performance goals: (1) Providing subrecipients with training and technical assistance on program-related matters; and (2) Performing on-site reviews of the subrecipient's program operations; (3) Arranging for agreed-upon-procedures engagements as described in §75.425 (Audit services). 45 CFR Section 75.305(b)(1), applicable to payments to subrecipients, states in part: …Advance payments to a non-Federal entity must be limited to the minimum amounts needed and be timed to be in accordance with the actual, immediate cash requirements of the non-Federal entity in carrying out the purpose of the approved program or project. The timing and amount of advance payments must be as close as is administratively feasible to the actual disbursements by the non-Federal entity for direct program or project costs and the proportionate share of any allowable indirect costs. The non-Federal entity must make timely payment to contractors in accordance with the contract provisions. Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DHS management indicated that risk assessment and monitoring documents were created for use during on-site monitoring of SSBG subrecipients. However, due to staffing issues, on-site monitoring was not performed for all SSBG subrecipients. Consistent with prior year audits, DHS management noted that there have been no changes to the payment methodology for the Homeless Services, Mental Health, Intellectual Disabilities, and Child Welfare components of SSBG. These programs provide subrecipients with advances to comply with Commonwealth law and also to ensure that adequate funds are available to provide services to participants on a timely basis. DHS officials believe that their in-house payment review procedures for the SSBG program are as efficient as administratively feasible and that controls exist in each of the program areas. Without on-site program monitoring visits by funding agency officials, we consider DHS’s limited in-house reviews of subrecipient status reports or other documents to be insufficient to detect potential subrecipient noncompliance, including excess cash violations. DHS does not adjust payments to the subrecipients based on in-house reviews. Effect: Since DHS does not adequately perform during-the-award monitoring of subrecipients, including the monitoring of subrecipient cash on hand, subrecipients may not be complying with applicable grant requirements and federal regulations, including cash management standards. Recommendation: DHS should perform risk based during-the-award monitoring procedures and risk assessments for all SSBG subrecipients to ensure timely compliance with all applicable federal regulations. On-site monitoring visits by state officials should be supported by documentation to show the monitoring performed, areas examined, conclusions reached, and that the monitoring was performed in compliance with applicable regulations. Finding 2023 –¬ 015: (continued) As recommended in previous Single Audits and supported by the United States Department of Health and Human Services, DHS should either consider changing their current subrecipient payment procedures from advancement basis to reimbursement basis or establish procedures to adequately monitor subrecipient cash on hand to ensure it is limited to immediate needs, but no longer than one month. The implementation and strengthening of these controls should provide DHS with reasonable assurance as to compliance with cash management requirements at the subrecipient level. Agency Response: DHS agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Various Agencies Finding 2023 –¬ 023: ALN 10.565, 10.568, and 10.569 – Food Distribution Cluster ALN 93.044, 93.045, and 93.053 – Aging Cluster (including COVID-19) ALN 93.323 – Epidemiology and Laboratory Capacity for Infectious Diseases (including COVID-19) ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.658 – Foster Care – Title IV-E (including COVID-19) ALN 93.667 – Social Services Block Grant State Agencies Did Not Identify the Federal Award Information and Applicable Requirements at the Time of the Subaward and Did Not Evaluate Each Subrecipient’s Risk of Noncompliance as Required by the Uniform Grant Guidance (A Similar Condition Was Noted in Prior Year Finding 2022-013) Federal Grant Number(s) and Year(s): 221PA825Y8005 (10/01/2021 – 9/30/2022), 221PA825Y8105 (10/01/2021 – 9/30/2022), 231PA825Y8005 (10/01/2022 – 9/30/2023) 231PA825Y8105 (10/01/2022 – 9/30/2023), 2101PACMC6 (4/01/2021 – 9/30/2024), 2101PAHDC5 (12/27/2020 – 9/30/2023), 2101PAHDC6 (4/01/2021 – 9/30/2024), 2101PAOACM (10/01/2020 – 9/30/2023), 2101PAOAHD (10/01/2020 – 9/30/2023), 2101PAOANS (10/01/2020 – 9/30/2023), 2101PAOASS (10/01/2020 – 9/30/2023), 2101PAPHC6 (4/01/2021 – 9/30/2024), 2101PASSC6 (4/01/2021 – 9/30/2024), 2101PAVAC5 (4/01/2021 – 9/30/2023), 2201PAOACM (10/01/2021 – 9/30/2023), 2201PAOAHD (10/01/2021 – 9/30/2023), 2201PAOANS (10/01/2021 – 9/30/2023), 2201PAOASS (10/01/2021 – 9/30/2023), 2201PASTPH (1/01/2022 – 9/30/2024), 2301PAOACM (10/01/2022 – 9/30/2024), 2301PAOAHD (10/01/2022 – 9/30/2024), 2301PAOANS (10/01/2022 – 9/30/2024), 2301PAOASS (10/01/2022 – 9/30/2024), NU50CK000527 (8/01/2019 – 7/31/2024), 2301PATANF (10/01/2022 – 9/30/2023), 2201PATANF (10/01/2021 – 9/30/2022), 2201PAFOST (10/01/2021 – 9/30/2022), 2301PAFOST (10/01/2022 – 9/30/2023), 2201PASOSR (10/01/2021 – 9/30/2023), 2301PASOSR (10/01/2022 – 9/30/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Subrecipient Monitoring Condition: The Uniform Guidance in 2 CFR Section 200 applies to the major programs listed above for the fiscal year ended June 30, 2023. Our testing disclosed that the Pennsylvania Department of Human Services (DHS) and the Pennsylvania Department of Agriculture (PDA) did not identify the federal award information and applicable requirements in subrecipient award documents. Additionally, DHS, PDA, the Pennsylvania Department of Health (DOH), and the Pennsylvania Department of Aging (PDOA) did not adequately evaluate each subrecipient’s risk of noncompliance for the purpose of determining the appropriate subrecipient monitoring related to the subaward. This represents an internal control weakness which could cause subrecipients to be improperly informed of federal award information and may result in inadequate monitoring by the state agencies. Also, it could cause the omission or improper identification of program expenditures on subrecipients’ Schedules of Expenditures of Federal Awards (SEFAs). The following chart shows which federal award information required by 2 CFR Section 200 was omitted (as indicated by “No”) from the subrecipient award documents at the time of the subaward and which major programs did not have a state agency evaluation of each subrecipient’s risk of noncompliance. Finding 2023 –¬ 023: (continued) SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Criteria: 2 CFR Section 200.332, Requirements for pass-through entities, states in part: All pass-through entities must: (a) Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification. When some of this information is not available, the pass-through entity must provide the best information available to describe the Federal award and subaward. Required information includes: Finding 2023 – 023: (continued) (1) Federal Award Identification. (iii) Federal Award Identification Number (FAIN); (iv) Federal Award Date (see the definition of Federal Award date in section 200.1) of award to the recipient by the Federal agency; (v) Subaward Period of Performance Start and End Date; (xi) Name of Federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity; (xii) Assistance Listings Number and Title; the pass-through entity must identify the dollar amount made available under each Federal award and the Assistance Listings Number at time of disbursement; (6) Appropriate terms and conditions concerning closeout of the subaward. (b) Evaluate each subrecipient’s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring described in paragraphs (d) and (e) of this section, which may include consideration of such factors as: (1) The subrecipient’s prior experience with the same or similar subawards; (2) The results of previous audits including whether or not the subrecipient receives a Single Audit in accordance with Subpart F [Audit Requirements] of this part, and the extent to which the same or similar subaward has been audited as a major program; (3) Whether the subrecipient has new personnel or new or substantially changed systems; and (4) The extent and results of Federal awarding agency monitoring (e.g., if the subrecipient also receives Federal awards directly from a Federal awarding agency) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should identify, analyze, and respond to risks related to achieving the defined objectives. Management should identify, analyze, and respond to significant changes that could impact the internal control system. Cause: In general, DHS’s and PDA’s processes for subrecipient award monitoring did not identify the omission of required elements from the grant awards. In addition, the risk assessments performed by DHS, PDA, PDOA, and DOH were not properly documented or not performed. Effect: Excluding the federal grant award information at the time of the subaward may cause subrecipients and their auditors to be uninformed about specific program and other regulations that apply to the funds they receive. There is also the potential for subrecipients to have incomplete SEFAs in their Single Audit reports submitted to the Commonwealth, and federal funds may not be properly audited at the subrecipient level in accordance with the Single Audit Act and Uniform Guidance. Not evaluating each subrecipient’s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward may result in subrecipients using the subaward for unauthorized purposes or in violation of the terms and conditions of the subaward, and state agency monitoring would not detect this noncompliance and ensure it is corrected in a timely manner. Finding 2023 ¬– 023: (continued) Recommendation: DHS and PDA should develop policies and reporting mechanisms to ensure all required federal award information is disseminated to all subrecipients at the time of the subaward to ensure subrecipient compliance with the Uniform Guidance in 2 CFR Section 200 and other applicable federal regulations. In addition, DHS and PDA should correspond with applicable subrecipients to ensure they are aware of the correct federal award information and review applicable subaward documents prior to issuance to ensure federal information is complete and accurate. DHS, PDA, PDOA, and DOH should implement procedures to adequately document their evaluation of each subrecipient’s risk of noncompliance as cited in 2 CFR Section 200.332 for purposes of determining the appropriate subrecipient monitoring related to the subaward. DHS Response: DHS agrees with the finding. DOH Response: DOH agrees with the finding. PDA Response: PDA agrees with the finding. PDOA Response: PDOA agrees with the finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Corrections Finding 2023 –¬ 006: ALN 93.788 – Opioid STR A Material Weakness and Material Noncompliance Exist at the Department of Corrections Related to the Review of Opioid Medication Costs Federal Grant Number(s) and Year(s): H79TI083297 (9/30/2020 – 9/29/2023) Type of Finding: Material Weakness in Internal Control over Compliance, Material Noncompliance Compliance Requirement: Activities Allowed or Unallowed Condition: The Pennsylvania Department of Drug and Alcohol Programs (DDAP) administers and monitors funds to provide services for the State Opioid Response Grants (SOR) program. During the fiscal year ended June 30, 2023 the Commonwealth expended $79,631,874 for the SOR program. An allowable use of SOR funds is to procure medications that provide treatment of opioid disorder and smoking cessation to individuals within the Department of Corrections (DOC) system. To provide these treatment services to DOC, DDAP executed interagency agreements to subgrant funds to the DOC. The DOC has a contract with a sole pharmaceutical vendor to procure opioid treatment and smoking cessation medications. The DOC processes the invoices which are submitted by the pharmaceutical vendor to procure the medications. To ensure accurate and cost-effective medication pricing is being billed, DOC relies on the Department of Aging (PDOA) personnel that complete quarterly audits of medication pricing as part of the Pharmaceutical Assistance for the Elderly program. The PDOA quarterly audit reports are PDOA’s internal documents and are not typically provided to DOC unless significant anomalies are noted. The DOC does not perform any other independent review and approval of medication prices in which SOR funds are being expended. During the fiscal year ending on June 30, 2023, we tested the three United States Food and Drug Administration approved medications allowable under the SOR Grants procured by the DOC from the pharmaceutical vendor. Sublocade was one of the allowable medications tested which amounted to purchases totaling over $10 million for the fiscal year. However, this medication was not included in the PDOA quarterly audits during the fiscal year. The DOC was unable to provide any additional evidence of review or approval of Sublocade pricing. Criteria: 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 006: (continued) 2 CFR Section 200.404, Reasonable costs, states: A cost is reasonable if, in its nature and amount, it does not exceed that which would be incurred by a prudent person under the circumstances prevailing at the time the decision was made to incur the cost. The question of reasonableness is particularly important when the non-Federal entity is predominantly federally-funded. In determining reasonableness of a given cost, consideration must be given to: (a) Whether the cost is of a type generally recognized as ordinary and necessary for the operation of the non-Federal entity or the proper and efficient performance of the Federal award. (b) The restraints or requirements imposed by such factors as: sound business practices; arm's-length bargaining; Federal, state, local, tribal, and other laws and regulations; and terms and conditions of the Federal award. (c) Market prices for comparable goods or services for the geographic area. (d) Whether the individuals concerned acted with prudence in the circumstances considering their responsibilities to the non-Federal entity, its employees, where applicable its students or membership, the public at large, and the Federal Government. (e) Whether the non-Federal entity significantly deviates from its established practices and policies regarding the incurrence of costs, which may unjustifiably increase the Federal award's cost. Cause: DOC did not implement policies and procedures to ensure billed medication prices are accurate and cost effective. Effect: Without review and validation of the prices, DOC may procure medications at higher rates than necessary or correct which would result in overbilling and improper use of SOR funds. Recommendation: We recommend that DOC implement formal policies and procedures to review and approve procured medications and services. Agency Response: DOC agrees with this finding. Questioned Costs: The amount of questioned costs cannot be determined.

Department of Drug and Alcohol Programs Finding 2023 –¬ 007: ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist at the Department of Drug and Alcohol Programs Related to Submission of Performance Progress Reports Federal Grant Number(s) and Year(s): H79TI083297 (9/30/2020 – 9/29/2023), H79TI085783 (9/30/2022 – 9/29/2024) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Pennsylvania Department of Drug and Alcohol Programs (DDAP) is required to submit biannual Performance Progress Reports (PPR) to the United States Department of Health and Human Services, Substance Abuse and Mental Health Services Administration (SAMHSA) for the components of State Opioid Response Grants (SOR) program. The PPR reports support the collection of data pertaining to the services provided by the 47 Single County Authorities (SCA) throughout the Commonwealth. SAMHSA awards Opioid grants to DDAP for the purpose of administration of the SOR program. The SOR program provides SCAs critical funding and support needed to address the opioid epidemic within the Commonwealth. SCAs must provide a variety of services to recipients including but not limited to treatment of opioid disorder, treatment of stimulant disorder, and recovery support services under the Public Health Services Act (42 U.S.C. 300x-21 et seq). During the fiscal year ended June 30, 2023, DDAP was required to submit year end PPRs for the SOR I and SOR II grants for the period September 30, 2021 through September 29, 2022. In addition, DDAP was required to submit mid-year PPRs for SOR II and SOR III grants for the period September 30, 2022 through March 31, 2023. As the direct recipient of SOR funds, DDAP is responsible for ensuring the timeliness and accuracy of the mid-year and final report submissions. DDAP obtained summary information from the SCAs to compile and submit the PPR reports which contained all required data elements. However, DDAP did not implement policies and procedures to ensure the accuracy of the information reported by the SCAs. Therefore, DDAP was unable to provide supporting documentation for amounts reported by SCAs on the PPR reports or to demonstrate that DDAP had reviewed and verified the accuracy of this information. Criteria: The SOR Program guidance for PPR published by SAMSHA states: • Recipients are required to report on their progress addressing the goals and objectives identified in the FOA. • Recipients are required to submit a Mid-Year and Annual Report on the progress achieved, barriers encountered and efforts to overcome these barriers. 2 CFR Section 200.303, Internal controls, states: The non-Federal entity must: (a) Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework”, issued by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO). Finding 2023 –¬ 007: (continued) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Cause: DDAP did not implement policies and procedures to ensure the accuracy of information reported by SCAs which was included on the PPRs. Effect: Without review and validation of the detail supporting the summary information reported by SCAs, the PPRs may have contained inaccurate information. Recommendation: We recommend that DDAP implement formal policies and procedures to verify the information reported. Agency Response: DDAP agrees with the concern indicated in this finding regarding lack of policies and procedures to ensure the accuracy of information reported by SCAs, which is included on the PPRs. The Department contracts with 47 SCAs through 5-year grant agreements for the provision of prevention, intervention, treatment/treatment-related, and recovery support services throughout the Commonwealth. Each year, DDAP’s Division of Program Monitoring staff monitors all SCAs to assess compliance as well as evaluate the SCA’s performance. Although the Department has developed and implemented an extensive monitoring process as it relates to the SCAs, the process does not include steps to validate the accuracy of information requested from the SCAs for the PPRs as required by SAMHSA for the SOR program. The Department understands the necessity to establish policies and procedures to ensure the accuracy of information reported by SCAs. Going forward, DDAP will develop and implement a plan to validate SCA information being reported and will incorporate this process into the SCA monitoring. Questioned Costs: The amount of questioned costs cannot be determined.

Office of the Budget – Office of Comptroller Operations Finding 2023 –¬ 022: ALN 93.558 – Temporary Assistance for Needy Families (including COVID-19) ALN 93.788 – Opioid STR A Significant Deficiency and Noncompliance Exist in the Commonwealth’s FFATA Reporting Process (A Similar Condition Was Noted in Prior Year Finding 2022-012) Federal Grant Number(s) and Year(s): 2201PATANF (10/01/2021 – 9/30/2022), H79T1083297 (9/30/2020 – 9/29/2023) Type of Finding: Significant Deficiency in Internal Control over Compliance, Other Matters Compliance Requirement: Reporting Condition: The Federal Funding Accountability and Transparency Act (FFATA) requires the Commonwealth of Pennsylvania to report first-tier subawards of $30,000 or more to the FFATA Subaward Reporting System (FSRS). Necessary details including the contract amount, contract date, federal award identification number, internal order number, and other information are entered into the Commonwealth’s SAP accounting system when the Commonwealth agencies award subrecipient contracts in order to ensure compliance with the FFATA reporting requirements. Each month Commonwealth information technology personnel run an extract in SAP to populate a FFATA database and generate a report that summarizes the contract information required for that month’s FFATA reporting. The Office of the Budget, Bureau of Accounting and Financial Management (OB-BAFM), is responsible for overseeing FFATA reporting, to include reviewing the summary report to ensure the contract data is complete. Once reviewed, the information is uploaded into FSRS to meet FFATA reporting requirements. Our testing of the FFATA reporting requirements for 40 subaward transactions totaling $112.9 million from thirteen major programs disclosed that two transactions totaling approximately $11.9 million, or 11 percent of transactions tested, were not reported to FSRS. Specifically, the two transactions for which the FFATA information was not reported occurred within two of the 13 programs tested as follows: SEE SCHEDULE OF FINDINGS AND QUESTIONED COSTS FOR CHART/TABLE Finding 2023 –¬ 022: (continued) Criteria: 2 CFR Section 170, Appendix A to Part 170, Award Term, states in part: I. Reporting Subawards and Executive Compensation a. Reporting of first tier subawards. Applicability. Unless you are exempt as provided in paragraph d. of this award term, you must report each action that equals or exceeds $30,000 in Federal funds for a subaward to a non-Federal entity or Federal agency (see definitions in paragraph e. of this award term). 2. Where and when to report. i. The non-Federal entity or Federal agency must report each obligating action described in paragraph a.1. of this award term to http://www.fsrs.gov. ii. For subaward information, report no later than the end of the month following the month in which the obligation was made. (For example, if the obligation was made on November 7, 2010, the obligation must be reported by no later than December 31, 2010.) 3. What to report. You must report the information about each obligating action that the submission instructions posted at http://www.fsrs.gov specify. b. Reporting total compensation of recipient executives for non-Federal entities. 1. Applicability and what to report. You must report total compensation for each of your five most highly compensated executives for the preceding completed fiscal year, if - i. The total Federal funding authorized to date under this Federal award equals or exceeds $30,000 as defined in 2 CFR 170.320; ii. in the preceding fiscal year, you received - (A) 80 percent or more of your annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards), and (B) $25,000,000 or more in annual gross revenues from Federal procurement contracts (and subcontracts) and Federal financial assistance subject to the Transparency Act, as defined at 2 CFR 170.320 (and subawards); and, iii. The public does not have access to information about the compensation of the executives through periodic reports filed under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a), 78o(d)) or section 6104 of the Internal Revenue Code of 1986. (To determine if the public has access to the compensation information, see the U.S. Security and Exchange Commission total compensation filings at http://www.sec.gov/answers/execomp.htm.) Management Directive 325.12, Amended – Standards for Enterprise Risk Management in Commonwealth Agencies, adopted the internal control framework outlined in the United States Government Accountability Office’s, Standards for Internal Control in the Federal Government (Green Book). The Green Book states in part: Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. Management should remediate identified internal control deficiencies on a timely basis. Finding 2023 –¬ 022: (continued) Cause: Regarding the two transactions identified during our testing that were not reported in the FFATA database, OB-BAFM personnel indicated the awards were overlooked during the FFATA review. As a result of our inquiry, OB-BAFM Personnel indicated that these awards were subsequently uploaded to the FFATA database and FSRS as required. Effect: Since the subaward information for two transactions tested were not included in the FFATA database, the required subaward information was not reported to FSRS as required. Further, noncompliance with FFATA reporting requirements in FSRS may recur in future periods if control deficiencies are not corrected to ensure completeness of the FFATA database. Recommendation: We recommend that OB-BAFM follow their established procedures to ensure all subrecipient contract information is included in the FFATA database to ensure that FSRS is accurate and complete. Agency Response: OB-BAFM agrees with the finding. Questioned Costs: None