Finding Number: 2023-002
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 10.558 – Child and Adult Care Food Program
Federal Awarding Agency: U.S. Department of Agriculture
Federal Award Number(s): 6AR300322; 6AR300323; 6AR300342
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Cash Management
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.303(c), a non-federal entity must evaluate and monitor its compliance with statutes, regulations, and the terms and conditions of federal awards.
In addition, 2 CFR § 200.400(a) and (b), the non-federal entity is responsible for the efficient and effective administration of the federal award through the application of sound management practices and assumes responsibility for administering federal funds in a manner consistent with underlying agreements, program objectives, and the terms and conditions of the federal award.
Condition and Context:
The Agency receives the following separate grant awards for reimbursement payments to meal providers and sponsoring organizations:
1) CNP Block Consolidated (ALN 10.555).
2) CNP CACFP Cash in Lieu (ALN 10.558).
3) CNP CACFP Sponsor Administrative (ALN 10.558).
Previous correspondence between ALA and the federal awarding agency indicated that each grant award has a designated purpose, and funds are not to be used interchangeably among the grant awards. (Note: This correspondence was shared with Agency management during calendar year 2018.)
All expenditures are assigned an internal order number to identify the applicable federal program and cost category within AASIS, the State’s accounting system. The Agency’s Division of Child Care and Early Childhood Education (DCCECE) staff are responsible for ensuring expenditures are properly coded in AASIS, and the managerial accounting staff utilize expenditure transactions in AASIS to complete cash draws for direct costs to the program.
ALA review of 15 cash draws to determine if funds were drawn from the appropriate grant revealed the following:
• Sponsor Administrative and Cash in Lieu expenditures (ALN 10.558), totaling $98,474 and $38,342, respectively, were inappropriately drawn from the CNP Block Consolidated grant (ALN 10.555).
(Note: DCCECE transitioned from the Arkansas Department of Human Services to the Arkansas Department of Education on August 1, 2023.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$136,816
Cause:
DCCECE personnel did not correctly code CACFP Sponsor Administrative expenditures in AASIS, causing managerial accounting staff to draw funds from the incorrect grant award. Additionally, managerial accounting staff did not establish procedures to ensure the Cash in Lieu grant award was adequately funded prior to processing federal cash draws.
Effect:
Funds were drawn for unallowable expenditures (based on the purpose of each grant).
Recommendation:
ALA staff recommend the Agency establish and document procedures that specifically address the proper coding of expenditures in AASIS. In addition, ALA staff recommend the Agency strengthen procedures to ensure that staff properly monitor federal cash draws by reconciling with allowable expenditures and request additional funds when necessary.
Views of Responsible Officials and Planned Corrective Action:
Department of Human Services Response
DHS concurs with the finding. The Division of Childcare and Early Childhood Education (DCCECE) utilized a custom software platform to provide payment files to the State’s accounting software, AASIS, to issue payments to recipients. Within this software, the AASIS coding for Sponsor Administrative costs is coded to CNP Block Consolidated (ALN 10.555) instead of CNP CACFP Sponsor Administrative (ALN 10.558) for the questioned costs of $98,474.00. Expense error corrections were not received timely by managerial accounting staff prior to the close out of SFY2023. Effective August 1, 2023, the division formerly known as DCCECE at DHS transitioned to the Arkansas Department of Education (ADE). DHS alerted financial staff with ADE in February 2024 to review the custom software platform to ensure grant expenses are being properly coded now.
Due to depleted grant funds in CNP CACFP Cash in Lieu (ALN 10.558), the questioned costs of $38,341.68 in grants funds were manually moved by DHS Managerial Accounting staff into the CNP Block Consolidated grant. Managerial accounting staff have been retrained to ensure adequate federal funds are available prior to drawing. If manual adjustments are required, the division’s CFO, or their designee, must review and approve manual adjustments prior to the managerial accounting staff executing manual adjustments. DHS Office of Finance is developing an internal control documenting the prior approval process.
DHS will continue to work in cooperation and coordination with ADE to provide all relevant financial information, documentation, or other items necessary for the administrative functions of DCCECE so as not to disrupt any services.
Arkansas Department of Education Response
The Arkansas Department of Education, Finance unit monitors federal grant awards by using separate cost centers for each program and award year within. This process provides transparent delineation of expenses and revenues within the State’s accounting system, AASIS. Additionally, ADE Finance owns an established procedure to reconcile federal grant awards for each month, within 90 days of the month’s end. The reconciliation procedure accounts for all activity within the grants and ensures data is aligned from the federal drawdown system to the State’s accounting system, AASIS.
Anticipated Completion Date:
Department of Human Services Response: 3/31/2024
Arkansas Department of Education Response: The itemized CNP programs are reconciled using ADE procedures as of August 1,2023. ADE ensures the accuracy of data from August 1, 2023, through January 31, 2024.
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-003
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 10.558 – Child and Adult Care Food Program
Federal Awarding Agency: U.S. Department of Agriculture
Federal Award Number(s): 6AR300322
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Cash Management
Type of Finding: Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, in accordance with 31 CFR § 205.33(a), a state must minimize the time between the drawdown of federal funds and their disbursement for program purposes. The timing and amount of fund transfers must be as close as is administratively feasible to the actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs.
Condition and Context:
The Agency’s Division of Managerial Accounting staff perform weekly reconciliations between federal cash draw downs and expenditure transactions in AASIS, the State’s accounting system. The reconciliation is utilized to ensure funds are drawn for actual expenditures. The Division’s policy is to use funds drawn in excess of actual expenditures within three days after discovery; otherwise, funds are returned to the federal awarding agency.
ALA reviewed the cash draw reconciliations that were completed for federal fiscal years 2022 and 2023 to determine if they were completed accurately and to ensure the Agency adhered to its policy regarding excess funds drawn.
ALA review revealed that funds drawn against the 2023 CNP Block grant exceeded the allowable expenditures totaling $1,496,279. The Agency was not in compliance with its policy regarding excess funds drawn because the Agency did not immediately adjust future draws or return excess funds, as stated in its policy.
(Note: DCCECE transitioned from the Arkansas Department of Human Services to the Arkansas Department of Education on August 1, 2023.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,496,279
Cause:
Managerial Accounting staff did not effectively utilize the cash draw reconciliation to ensure funds drawn were only for immediate cash needs.
Effect:
Agency staff did not adjust subsequent cash draws or return funds to the federal awarding agency after the excess draws were discovered.
Recommendation:
ALA staff recommend the Agency review and strengthen its control procedures regarding draws and contact the Arkansas Department of Education and the federal awarding agency to ensure draws do not exceed allowable expenditures going forward.
Views of Responsible Officials and Planned Corrective Action:
Department of Human Services Response
DHS concurs with the finding. Specifically, the documentation provided to auditors during the audit period did not include a full review of allowable expenditures correlated to the federal draws. During the quarter, indirect costs are estimated and are then adjusted to actual indirect costs when the quarterly cost allocation report is completed. If an overpayment was identified after comparing to the cost allocation report, the next federal draw would be reduced by the overpayment. Due to the timing of the DHS Cost Allocation report and the omittance of the allowable 2022 CNP Block grant expenditures, the expenses were understated for 2023 CNP Block grant resulting in the appearance of a federal overpayment.
Following the audit, it was determined DHS DCCECE staff coded 161 transactions totaling direct costs of $1,977,927.62 of allowable expenses for October 2022, November 2022, and March 2023 in the State’s accounting software, AASIS, to the 2022 CNP Block grant when only $505,835.54 federal grant funds were available. The difference of $1,472,092.08 in federal funding was properly drawn from the 2023 CNP Block grant, but AASIS error corrections were not timely submitted to the managerial accounting prior to the close of SFY2023 to ensure the proper allocation of the expenditures. The cost allocation report provided to auditors during the audit period only included the 2023 CNP Block grant AASIS coding and did not include the 2022 CNP Block grant AASIS coding of $1,472,092.08. The remaining difference of $24,186.92 is due to timing of DHS’s Cost Allocation quarterly report that became available July 20th for the June 30th 2023 CNP Block grant expenses. DHS submitted additional documentation to ALA in February 2024 accounting for all allowable expenditures.
DHS Managerial Accounting staff have been provided additional cost allocation training and audit response training. Documents responsive to audit requests will be more fully reviewed prior to submission as senior finance management staffing allows. Effective August 1, 2023, DHS DCCECE has transitioned to Arkansas Department of Education (ADE). DHS will continue to work in cooperation and coordination to provide all relevant financial information, documentation, or other items necessary for the administrative functions of DCCECE so as not to disrupt any services.
Arkansas Department of Education Response
Arkansas Department of Education, Finance unit monitors fund balances in the States’s accounting system, AASIS, at minimum, every other day. The frequency of this process accounts for previous activity in funds or cost centers and pending activity recognized at the time of the review including, but not limited to, upcoming expenses and drawdown requests. ADE procedures ensure the finance unit closely oversees cash on hand, if any, and all necessary drawdowns are completed for immediate use.
Additionally, funds associated with the Office of Early Childhood (formerly DCCECE) that were carried to ADE are shown in the cash edit table, allowing the fund to have a negative balance in the State’s accounting system, AASIS. Including funds in the cash edit table supports the agency in preventing excess drawdowns by allowing funds to be received after expenses are processed. ADE is confident this procedure ensures accurate amounts are drawn.
Anticipated Completion Date:
Department of Human Services Response: Complete
Arkansas Department of Education Response: ADE Finance has implemented the named procedure and continues to monitor cash on hand closely, as the ADE Office of Early Childhood staff, (formerly DHS DCCECE), are trained in this procedure.
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-004
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 10.558 – Child and Adult Care Food Program
Federal Awarding Agency: U.S. Department of Agriculture
Federal Award Number(s): 6AR300322; 6AR300323; 6AR300342
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Procurement and Suspension and Debarment
Type of Finding: Material Weakness
Repeat Finding:
Not applicable
Criteria:
2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, 2 CFR § 200.214 holds entities subject to 2 CFR Part 180, which restricts awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from or ineligible for participation in federal assistance programs or activities.
Condition and Context:
A management evaluation was performed by the U.S. Department of Agriculture – Food and Nutrition Service (USDA-FNS) in July 2021. The evaluation revealed that the Agency was not clearly documenting its review of the National Disqualified List (NDL) prior to approving providers. In December 2021, the Agency implemented a procedure to upload the results of the search for suspended and debarred providers from the NDL to its Special Nutrition Program (SNP) database. The search and upload would occur prior to the approval of a provider.
To determine if the Agency’s new control procedure was operating as designed and effective, ALA selected 25 approved providers located within the SNP database to determine if the Agency uploaded its search of the NDL prior to approving the application. This review revealed the following:
• In 15 instances, the NDL search was not uploaded to the SNP database.
• In one instance, the Agency Coordinator and the Manager approved a provider on October 11, 2022, and October 13, 2022, respectively. However, the NDL search was not uploaded prior to the approvals. The upload occurred on December 5, 2022.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not consistently adhere to the newly established procedure.
Effect:
Failure to adhere to the newly established procedure for internal control over compliance increases the risk that an ineligible provider is approved in error.
Recommendation:
ALA staff recommend the Agency review its newly developed control procedure with applicable staff to ensure compliance with suspension and debarment requirements.
Views of Responsible Officials and Planned Corrective Action:
Department of Human Services Response
DHS concurs with the finding. The SNP database has been updated to reflect that a National Disqualified List (NDL) search was run on the 15 providers that were reviewed. The Health and Nutrition Unit for the Office of Early Childhood conducted a staff training on the written application procedure with an emphasis on performing and documenting NDL searches prior to approval of the application. (Note: Effective August 1, 2023, DHS DCCECE has transitioned to Arkansas Department of Education.)
Arkansas Department of Education Response
Arkansas Department of Education’s Office of Early Childhood, Health and Nutrition unit conducted training December 2023 and continues to maintain staff training on the written application procedure to ensure providers are reviewed against the National Disqualified List (NDL) database and prior to approval.
Anticipated Completion Date:
Department of Human Services Response: Complete
Arkansas Department of Education Response: Continuous
Contact Person: Pamela Burton
Director, Health and Nutrition Unit, Division of Elementary and Secondary Education
Arkansas Department of Education
700 Main Street, Room 1216
Little Rock, AR 72203
501-320-8978
Pamela.Burton@ade.arkansas.gov
Finding Number: 2023-005
State/Educational Agency(s): Arkansas Department of Commerce –
Division of Workforce Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 17.225 – Unemployment Insurance
Federal Awarding Agency: U.S. Department of Labor
Federal Award Number(s): Not Applicable
Federal Award Year(s): Not Applicable
Compliance Requirement(s) Affected: Activities Allowed or Unallowed;
Eligibility
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
A similar issue was reported in prior-year finding 2022-001.
Criteria:
In accordance with 2 CFR § 200.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, 2 CFR § 200.516 (a)(6) requires the auditor to report as an audit finding any known or likely fraud affecting a federal award.
Condition and Context:
In state fiscal year 2023, the Division of Workforce Services (DWS) identified 1,077 claims paid for Unemployment Insurance programs, totaling $2,295,059, as likely fraud. (This is in addition to the claims identified in the previous years.) The $2,295,059 is comprised of $1,563,505 in federal funds and $731,554 in state funds.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,563,505 (federal)
$ 731,554 (state)
Cause:
In response to the increase in demand for services/benefits, the State relaxed controls over identify verification and income verification for the program during fiscal year 2021. DWS continued to identify claims in fiscal year 2023 that were paid during fiscal year 2021.
Effect:
Lack of appropriate internal controls resulted in overpayments of state and federal funds.
Recommendation:
ALA staff recommend the Agency continue to strengthen controls over benefit payments to ensure that payments are made in the correct amount and to eligible claimants. Additionally, ALA staff recommend the Agency continue to seek recoupment of the identified overpayments, returning them to their appropriate source.
Views of Responsible Officials and Planned Corrective Action:
Due to the health concerns of the pandemic as well as unprecedented claims volume, claimants were not required to come into a local office for identity verification, the waiting week was waived for 2020, and the requirements for work search were adjusted in order to protect employees and claimants.
Before the pandemic, all claimants were required to come to the local office to verify their identity. Removing these process controls resulted in several consequences as itemized below:
• By waiving the waiting week, the claimant was able to receive payment the following week. For example, a fraudster could file a claim on Friday, then receive payment on Sunday, removing the typical week that an employer would respond to validate the separation from employment.
• The information mailed to the employer and claimant were not received before payments were made due to the lack of waiting week.
• Businesses were closed at that time and did not respond to the unemployment paperwork timely to report fraudulent claims.
• Identity theft fraudsters often changed the address of the individuals for which they had filed claims in order to prevent the victims from being notified and reporting the fraud.
In 2020, the work search requirement was reinstated. In 2021, all claimants had to verify their identity in-person at the local office before the claim was opened for a regular unemployment claim. The UIdentify program was utilized for identity verification for the PUA claims filed after January 1, 2021. The waiting week was reinstated in January 2021, which lengthened the time period for employers to respond before payment was issued.
In addition, Internal Audit created the Fraud Investigation Unit and hired additional staff to focus on investigating the identity theft fraud claims. When the perpetrator is identified, a determination is issued and an overpayment is established in the perpetrator’s name/SSN for collection. The NASWA Integrity Data Hub (IDH) crossmatch was implemented in July 2020 as well in an effort to identify additional fraudulent claims for investigation.
ADWS was the first UI program to implement 2 projects with the Department of Labor for identity verification. One is using Login.gov and the other involves the United States Postal Service where they verify the identity of claimants for using multifactor authentication and in person presentation of ID. The Login.gov pilot started in 2022 and the USPS pilot project started in 2023.
1. The Login.gov project uses the current system that Federal agencies use to verify identity and went into service in Arkansas as of March 2022. A link is given to the claimant, when they select verify ID through login.gov and go through the steps to verify their identity through the federal government system. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
2. The United States Postal Service project, implements in Arkansas March 2023, offers the claimant the same link as Login.gov, but grants the additional option to verify their identity at any US Post Office in the country. A barcode is created and must be taken with a valid government-issued ID (they are given examples) along with proof of current address to the post office in person. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
Anticipated Completion Date: Corrective action was taken for the controls the ALA staff recommended.
Contact Person: Sheri Rooney
Program Administrator
Arkansas Division of Workforce Services
#2 Capitol Mall
Little Rock, AR 72201
501-682-3382
Sheri.Rooney@arkansas.gov
Finding Number: 2023-006
State/Educational Agency(s): Arkansas Department of Commerce –
Arkansas Economic Development Commission
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 21.027 – COVID 19: Coronavirus State and Local
Fiscal Recovery Fund (CSLFRF)
Federal Awarding Agency: U.S. Department of Treasury
Federal Award Number(s): SLFRP3627
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Activities Allowed or Unallowed;
Allowable Costs/Cost Principles
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-014.
Criteria:
In accordance with 2 CFR § 200.403(g), costs must be adequately documented to be allowable under federal awards.
In addition, state-promulgated rules governing the Arkansas Rural Connect (ARC) Program provide that internet service providers (ISPs) must submit receipts for all reimbursable expenses. The rules also provide that the full purchase price of capital equipment used for the build phase of a project and having value for other construction work subsequent to project completion, is not allowable.
Finally, 2 CFR § 200.303 states that a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
Condition and Context:
ALA staff selected 20 payments made to ISPs to determine if sufficient, appropriate documentation was maintained to support that reimbursements were made for allowable project expenses. ALA review revealed the following:
Project 1:
• Two claims, totaling $3,465, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
Project 2:
• Two claims, totaling $5,179, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
• The Agency’s contractor, UAMS-IDHI, approved reimbursement for a “fiber splicing trailer,” also referred to as a tandem axle enclosed trailer, totaling $25,673. This item is commonly used by broadband installers and has value for other non-ARC constructions projects, making it unallowable.
Project 3:
• Nine claims, totaling $92,538, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
• Eight claims, totaling $498,487, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$625,342
Cause:
The Agency’s contractor, UAMS-IDHI, did not perform its obligation to ensure reimbursement requests were appropriately supported. The contractor stated that it relaxed the review process as a result of an internal agreement with the previous Commission Director of Broadband.
Effect:
Reimbursements were approved for expenditures that may not have been allowable or may not have been incurred. The federal awarding agency may require recoupment.
Recommendation:
ALA staff recommend the Agency promptly develop, document, and establish procedures to monitor the agreement with its contractor to ensure completion of performance objectives and compliance with federal regulations.
Views of Responsible Officials and Planned Corrective Action:
ASBO has entered a contract with a new 3rd party administrator to provide oversight for all subgrant awardees. This contact is active now. We developed our contract to ensure improved monitoring for expenditures and verification of receipts. Also, we are in the process of developing a portal which will allow this contractor and ASBO to have full access to all documents from subgrantees. Our new vendor does have prior experience with subgrants management.
In addition, ASBO commits internally to the following:
• We will monitor all capital purchases when the invoices are received at our office.
• We will pull a random sample of five invoices per month and conduct our own review of expenses.
Highlights for the Baker contract:
ASBO’s broadband grant program management vendor-partner, Michael Baker International (MBI), is contracted for the following activities and deliverables:
• Developing the workflow, process, and online forms that facilitate project monitoring and expense reimbursement.
• Responsible for pursuing and documenting additional information required for project monitoring and reimbursement activities. These activities shall be completed within the framework of the Broadband Grants Project Monitoring and Reimbursement System (see below for details) and not through external email or other document exchange system.
• Develop and apply standardized naming conventions for all project documents that will be maintained throughout the life of the project. Documents shall be stored in a manner that promotes transparency and facilities ease of use by auditors.
• Take all reasonable measures to ensure grant activities are implemented in a manner that ensures transparency, accountability, and oversight sufficient to (1) minimize the opportunity for waste, fraud, and abuse; (2) ensure that subrecipients use funds to further the objectives of Federal programs and the Arkansas State Broadband Office; and (3) allow the public to understand and monitor subgrants awarded under the program.
• Ensuring all reimbursement activity complies with Federal requirements, including Section 60102 of the Infrastructure Act, 2 C.F.R. Part 200 and any supplemental guidance issued by the Federal government.
• Responsible for knowing what constitutes eligible and ineligible expenses under both state and Federal rules.
• Provide education and guidance to subrecipients and the ASBO on key oversight and compliance requirements.
• Ensure payment activities follow all state and Federal policies and procedures. Contractor acknowledges policies may change over the life of the contract.
• Identify policies the ASBO is required to adopt and assist in drafting those policies to ensure ASBO compliance with Federal regulations.
• Assist the Arkansas State Broadband Office in enforcing program rules and laws and imposing penalties for nonperformance, failure to meet statutory obligations, or wasteful, fraudulent, or abusive expenditure of funds. Such penalties include, but are not limited to, imposition of additional award conditions, payment suspension, award suspension, grant termination, de-obligation/clawback of funds, and debarment of organizations and/or personnel.
• Conduct audits of subrecipients as are necessary and appropriate. Contractor shall report the results of any audits it conducts to the Arkansas State Broadband Office.
• Develop a template contract for subrecipients, specifying key terms including contract length, performance standards, construction and service rollout schedules, competitive access requirements, regulatory compliance requirements, environmental controls, grant reporting and data sharing requirements, monitoring and oversight procedures, and penalties for non-compliance.
• Retain and provide to the Arkansas State Broadband Office upon request all records, documents, and communications of any kind that relates in any manner to grant awards and project procurement, performance, and reimbursement. This data shall be labeled and stored in a manner that promotes transparency and facilitates ease of use by auditors.
Additionally, MBI is building two new systems for ASBO and subgrantee use:
1. Broadband Grants Project Monitoring and Reimbursement System
2. Grant Application Submission, Evaluation, Award, and Appeal System
These systems will have the following features:
• Facilitate inputs, responses, data gathering, analysis, and adjudication decision recommendations and subsequent documentation of payment decisions for the Arkansas State Broadband Office’s final approval.
• Provide a secure mechanism for grant applications and safeguard protected, proprietary, and other confidential information.
• Assign a unique identifier to each application and each project. Contractor shall develop and apply a standardized naming convention to all applications and associated documents that will be maintained throughout award, technical review, project monitoring, and project closing. Documents shall be named and stored in a manner that facilitates ease of use by auditors.
• System shall exhibit built-in quality controls, such as pre-screening, that assist applicants in submitting applications that meet all minimal requirements for consideration (such as requiring a SAM number).
• MBI shall be responsible for pursuing and documenting additional information required for clarification of submitted applications, technical reviews of applications, and project monitoring
• and reimbursement activities. These activities shall be completed within the framework of the Grant Application Submission, Evaluation, Award, and Appeal System or the Broadband Grants Project Monitoring and Reimbursement System and not through external email or other document exchange systems.
Anticipated Completion Date: System anticipated go live Date: April 26, 2024
Contact Person: Glen E. Howie
Director
Department of Commerce, Arkansas State Broadband Office
1 Commerce Way, Suite. 601
Little Rock, AR 72202
(501) 682-1123
Glen.Howie@ArkansasEDC.gov
Finding Number: 2023-007
State/Educational Agency(s): Arkansas Department of Commerce –
Arkansas Economic Development Commission
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 21.027 – COVID 19: Coronavirus State and Local
Fiscal Recovery Fund (CSLFRF)
Federal Awarding Agency: U.S. Department of Treasury
Federal Award Number(s): SLFRP3627
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Procurement and Suspension and Debarment
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-017.
Criteria:
In accordance with 2 CFR § 200.302(b)(7), a non-federal entity must establish written procedures to implement and determine the allowability of costs in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements, as well as the terms and conditions of the federal award.
In addition, 2 CFR § 200.303(a) states that a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the award.
Finally, 2 CFR § 200.214 holds entities subject to 2 CFR Part 180, which restricts awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from or ineligible for participation in federal assistance programs or activities.
Condition and Context:
For the second consecutive year, the Agency failed to establish documented control procedures for this compliance requirement area.
The Agency is responsible for ensuring that entities receiving awards are registered in the System for Award Management (SAM) database and have not been suspended or debarred. Registration must occur prior to the issuance of a contract or grant agreement.
ALA staff reviewed 11 contracts and grant agreements to determine if the Agency complied with the requirement. ALA review revealed that one entity, with an agreement dated January 27, 2022, failed to register on SAM until February 18, 2022.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency failed to establish documented control procedures and did not have adequately trained staff to ensure compliance.
Effect:
Failure to develop, document, and implement procedures for internal control over compliance increases risk for issuance of contracts and grant agreements to excluded or ineligible entities.
Recommendation:
ALA staff recommend the Agency promptly develop, document, and establish policies to ensure contracts and grant agreements are only issued to eligible entities.
Views of Responsible Officials and Planned Corrective Action:
ASBO has made the registration at Sam.gov part of the application process that will be handled through the subgrant portal being developed with our new grants monitoring contractor. This will now be an electronic field that will be entered by the subgrantee. The 3rd party administrator will be responsible for verifying the subgrant applicant Sam.gov registration is valid and active.
Anticipated Completion Date: System anticipated go live Date: April 26, 2024
Contact Person: Glen E. Howie
Director
Department of Commerce, Arkansas State Broadband Office
1 Commerce Way, Suite. 601
Little Rock, AR 72202
(501) 682-1123
Glen.Howie@ArkansasEDC.gov
Finding Number: 2023-008
State/Educational Agency(s): Arkansas Department of Commerce –
Arkansas Economic Development Commission
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 21.027 – COVID 19: Coronavirus State and Local
Fiscal Recovery Fund (CSLFRF)
Federal Awarding Agency: U.S. Department of Treasury
Federal Award Number(s): SLFRP3627
Federal Award Year(s): 2021
Compliance Requirement(s) Affected: Subrecipient Monitoring
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-018.
Criteria:
In accordance with 2 CFR § 200.332(a)(1), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward:
i. Subrecipient name (which must match the name associated with its unique entity identifier).
ii. Subrecipient's unique entity identifier.
iii. Federal Award Identification Number (FAIN).
iv. Federal award date.
v. Subaward Period of Performance start and end date.
vi. Subaward budget period start and end date.
vii. Amount of federal funds obligated by this action by the pass-through entity to the subrecipient.
viii. Total amount of federal funds obligated to the subrecipient by the pass-through entity including the current financial obligation.
ix. Total amount of the federal award committed to the subrecipient by the pass-through entity.
x. Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA).
xi. Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity.
xii. Assistance listings number (ALN) and title; the pass-through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement.
xiii. Identification of whether the award is Research & Development.
xiv. Indirect cost rate for the federal award.
In addition, 2 CFR § 200.332(a)(4) requires an approved federally recognized indirect cost rate between the subrecipient and the federal awarding agency.
2 CFR § 200.332(b) states that pass-through entities must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.
Finally, 2 CFR § 200.332(d) states that pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward performance goals are achieved.
Section 9(G) of the Arkansas Rule Connect (ARC) rules state that within 45 days after grant approval, the Internet Service Provider (ISP) should submit the project plans to a licensed Professional Engineer (PE) for a technical adequacy confirmation. Once received, the ISP should submit the PE approval stamp to the Arkansas State Broadband Office (ASBO).
Condition and Context:
ALA staff reviewed seven executed grant agreements, totaling $28,392,301, to determine if they met the Uniform Guidance criteria. The following deficiencies were noted:
• The seven grant agreements did not include all required terms, specifically from the criteria noted above, ii, iii, iv, xi, xii, xiii, and xiv.
• An indirect cost rate agreement could not be provided.
• Discussion with management indicated that the ISPs were evaluated during the application process, but the results were not documented. Without proper documentation, ALA staff were unable to determine if the ISPs were assessed for risk as required by Uniform Guidance (2 CFR § 200.332(b)).
• Discussion with management indicated that the pass-through entity did not have documentation indicating that a PE reviewed the technical adequacy of any of the seven projects ALA reviewed.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not ensure staff were trained and knowledgeable regarding Uniform Guidance requirements for subrecipients.
Effect:
Without a proper grant agreement, subrecipients may be unaware that their award is subject to federal compliance requirements. The Agency could award federal funds to a high risk entity and fail to adjust the methods of monitoring accordingly. Absent a review by a PE, the project may fail to comply with performance requirements.
Recommendation:
ALA staff recommend the Agency provide training to appropriate staff to ensure adherence to Uniform Guidance regarding subrecipient monitoring.
Views of Responsible Officials and Planned Corrective Action:
ASBO has developed a Notice of Subgrant Award Information Form providing required information to each subrecipient. We have already sent this form out for CPF grants as an amendment to the current grant award. This form will be part of the subawards that will be issued for the upcoming BEAD subgrants. We are currently developing this form for all SLFRF grants to be sent out as an amendment. It is currently being reviewed for changes. Our goal is to have this form out as an amendment to all SLFRF subgrantees by June 1, 2024.
Anticipated Completion Date: June 1, 2024
Contact Person: Glen E. Howie
Director
Department of Commerce, Arkansas State Broadband Office
1 Commerce Way, Suite. 601
Little Rock, AR 72202
(501) 682-1123
Glen.Howie@ArkansasEDC.gov
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-011
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D210039
Federal Award Year(s): 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, the U.S. Department of Education’s Office of Elementary and Secondary Education requires ESSER grantees to submit an Annual Performance Report (APR) with data on expenditures, planned expenditures, subrecipients, and uses of funds.
Condition and Context:
To aid in the completion of year three’s ESSER APR, Agency staff obtained data from the Arkansas Public School Computer Network (APSCN), the accounting system utilized by Local Educational Agencies (LEAs), to monitor program expenditures. The data was compiled by Agency staff and was included on the templates provided by the U.S. Department of Education (ED).
To ensure compliance with line item 3.b1 – LEA Expenditures by ESSER Subgrant Fund and Expenditure Category of the APR, which is identified in the Compliance Supplement as a key line item, ALA performed a review of the data included on the templates that was uploaded to the Annual Reporting Data Collection Tool on the ED website. The template includes data for the 255 participating LEAs.
ALA’s review of the data template revealed a clerical error that reported LEAs’ grand totals as non-LEA expenditures. The clerical error resulted in overstated expenditures in the following categories:
• Meeting students’ academic, social, emotional, and other needs - $89,966,926 overstatement;
• Mental health supports for students and staff - $1,428,542 overstatement;
• Operational continuity and other allowed uses - $62,756,767 overstatement
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Overstated amount - $154,152,235
Cause:
The Agency failed to ensure LEA expenditures reflected in the APSCN report were adequately represented on the ESSER II annual report.
Effect:
Inaccurate data was submitted to the federal awarding agency.
Recommendation:
ALA staff recommend the Agency implement additional procedures and controls over the reporting process to ensure reports are thoroughly reviewed prior to submission.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. ADE Finance completed the named report which contained a subtotal error that overstated the totals when provided to Legislative Auditors. However, logic verifications built into the Federal System disallowed the items mentioned to be submitted. Therefore, the data reflected in Federal reporting for Arkansas was not overstated nor actual expenses and associated drawdowns completed erroneously. This information was confirmed with the U.S. Department of Education (ED) on February 21, 2024.
ADE Finance assures that revisions to the FY23 ESSER data template will be made and uploaded to the Federal Reporting System during the allowable period of July 29, 2024, and August 15, 2024.
Anticipated Completion Date: Data was effectively corrected at the time of reporting within the Federal System. ADE Finance will revise its uploaded FY23 ESSER data template during the allowable period of July 29, 2024, through August 15, 2024.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-012
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund;
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, the U.S. Department of Education’s Office of Elementary and Secondary Education requires ESSER grantees to submit an Annual Performance Report (APR) with data on expenditures, planned expenditures, subrecipients, and uses of funds.
Condition and Context:
To accurately complete the ESSER APR, the Agency prepared a survey to be completed by each of the Local Educational Agencies (LEAs) to capture data to complete specific lines of the APR. The completed surveys were compiled and included on the templates provided by the U.S. Department of Education (ED). The surveys contained the number of staff supported by ESSER funding and the total expenditure amount by position categories. Each LEA utilizes the Arkansas Public School Computer Network (APSCN) to process and track its expenditures. Agency staff also have access to APSCN.
To ensure compliance with line item 3.b10 – LEA Hiring and Retention of Specific Positions of the APR, which is identified in the Compliance Supplement as a key line item, ALA performed a review of the data included on the template that was uploaded to the Annual Reporting Data Collection Tool on the ED website. The template includes data for the 263 participating LEAs.
A sample of 25 LEAs was selected to determine if the data included in the template was supported by data submitted by the LEA on the survey. ALA review revealed that the data uploaded on the template is supported by the surveys completed and submitted by each LEA.
However, the survey data does not represent the salary expenditures reflected in APSCN. As a result, ALA performed a comparison between the total salary and benefit expenditures reflected in APSCN to the total salary and benefit expenditures reported on the APR. ALA review revealed that the total amount reported as expended for staff supported by ESSER funds is understated by $98,192,610. (It should be noted that 22 of the 263 LEAs reported accurate salary expenditures supported by APSCN.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $98,192,610
Cause:
The survey provided by the Agency to capture the data necessary to complete the key line item on the APR did not contain sufficient instructions to ensure each LEA completed the survey accurately. As a result, multiple LEAs submitted inaccurate information and the Agency failed to perform additional procedures to corroborate the survey data provided.
Effect:
Inaccurate data was submitted on the APR.
Recommendation:
ALA staff recommend the Agency strengthen controls over reporting to ensure that amounts reported are accurate, complete, and properly supported by the appropriate records and documentation to ensure compliance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. The ADE Finance unit utilized data extracted from the statewide Local Educational Agencies (LEAs) system, APSCN, for the majority of parameters reported. However, APSCN does not have the ability to cross-reference financial expenses with Local Educational Agency’s (LEAs) personnel data, which led to the creation of the survey. LEAs were expected to report data during a subsequent school year post COVID-19 Pandemic. ADE gathered state total expenses for requested categories from the system compiled with the requested breakdowns by position type obtained in the manual survey. The two data sets did not align, thus seen in Questioned Costs which reflects the difference between the two datasets. LEA actual expenses, associated drawdowns, and disbursements were not affected by the amounts reported in the annual ESSER data.
ADE Finance is currently working with APSCN personnel to explore options for assembling data without manual input from LEAs. When implemented, discrepancies in the state data reported to federal systems and LEAs data should not exist. ADE has the goal of utilizing this method for FY23 reporting in May 2024.
Anticipated Completion Date: ADE Finance will revise its uploaded FY22 ESSER data template during the allowable period of July 29, 2024, through August 15, 2024.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-013
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, 2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the grant award.
Condition and Context:
To ensure compliance with year three’s ESSER Annual Performance Report (APR), ALA performed a review of line item 5.a – Full-Time Equivalent (FTE) Positions, which is identified in the Compliance Supplement as a key line item, to determine if the information reported was accurate and properly supported with accounting records for Local Educational Agencies (LEAs) and non-LEAs. Agency staff utilized the template provided by the U.S. Department of Education (ED) to upload data to the Annual Reporting Data Collection Tool. The template includes data for the 256 participating LEAs and 41 non-LEAs.
The Agency estimated the FTE position data for non-LEAs based on websites and other available information but did not maintain supporting documentation for the information reported to the federal awarding agency. As a result, ALA staff were unable to verify that the data was accurate and complete.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency did not maintain appropriate supporting documentation.
Effect:
The accuracy of data submitted to the federal awarding agency is unknown.
Recommendation:
ALA staff recommend the Agency strengthen internal controls over the review of special reports to ensure reported data is appropriately supported in accordance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. ADE Finance understands the importance of supporting documentation for non-LEAs and has implemented a plan for FY23 communications. Furthermore, ADE Finance conducted follow-up communication with the U.S. Department of Education (ED) on March 1, 2024. It was concluded that FTE position data for non-LEAs were optional for Years 1 and 2 Annual Performance Reports per the ESSER Form Review Webinar Guidance. ADE was further instructed to omit non-LEA information from the template should it be unreasonable to provide for the FY22 reporting year in question.
ADE will ensure non-LEA entities provide the requested 5.a – Full-Time Equivalent (FTE) Compliance Supplement information for supporting documentation with FY23 and subsequent Reporting Periods.
Anticipated Completion Date: May 2024. ADE Finance is coordinating communication with non-Local Educational Agencies (non-LEAs) in effort to revise the data for FY22, however will omit the related data per U.S. Department of Education (ED) guidance provided on March 1, 2024, should non-LEAs be unable to provide quality data.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-012
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund;
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, the U.S. Department of Education’s Office of Elementary and Secondary Education requires ESSER grantees to submit an Annual Performance Report (APR) with data on expenditures, planned expenditures, subrecipients, and uses of funds.
Condition and Context:
To accurately complete the ESSER APR, the Agency prepared a survey to be completed by each of the Local Educational Agencies (LEAs) to capture data to complete specific lines of the APR. The completed surveys were compiled and included on the templates provided by the U.S. Department of Education (ED). The surveys contained the number of staff supported by ESSER funding and the total expenditure amount by position categories. Each LEA utilizes the Arkansas Public School Computer Network (APSCN) to process and track its expenditures. Agency staff also have access to APSCN.
To ensure compliance with line item 3.b10 – LEA Hiring and Retention of Specific Positions of the APR, which is identified in the Compliance Supplement as a key line item, ALA performed a review of the data included on the template that was uploaded to the Annual Reporting Data Collection Tool on the ED website. The template includes data for the 263 participating LEAs.
A sample of 25 LEAs was selected to determine if the data included in the template was supported by data submitted by the LEA on the survey. ALA review revealed that the data uploaded on the template is supported by the surveys completed and submitted by each LEA.
However, the survey data does not represent the salary expenditures reflected in APSCN. As a result, ALA performed a comparison between the total salary and benefit expenditures reflected in APSCN to the total salary and benefit expenditures reported on the APR. ALA review revealed that the total amount reported as expended for staff supported by ESSER funds is understated by $98,192,610. (It should be noted that 22 of the 263 LEAs reported accurate salary expenditures supported by APSCN.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $98,192,610
Cause:
The survey provided by the Agency to capture the data necessary to complete the key line item on the APR did not contain sufficient instructions to ensure each LEA completed the survey accurately. As a result, multiple LEAs submitted inaccurate information and the Agency failed to perform additional procedures to corroborate the survey data provided.
Effect:
Inaccurate data was submitted on the APR.
Recommendation:
ALA staff recommend the Agency strengthen controls over reporting to ensure that amounts reported are accurate, complete, and properly supported by the appropriate records and documentation to ensure compliance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. The ADE Finance unit utilized data extracted from the statewide Local Educational Agencies (LEAs) system, APSCN, for the majority of parameters reported. However, APSCN does not have the ability to cross-reference financial expenses with Local Educational Agency’s (LEAs) personnel data, which led to the creation of the survey. LEAs were expected to report data during a subsequent school year post COVID-19 Pandemic. ADE gathered state total expenses for requested categories from the system compiled with the requested breakdowns by position type obtained in the manual survey. The two data sets did not align, thus seen in Questioned Costs which reflects the difference between the two datasets. LEA actual expenses, associated drawdowns, and disbursements were not affected by the amounts reported in the annual ESSER data.
ADE Finance is currently working with APSCN personnel to explore options for assembling data without manual input from LEAs. When implemented, discrepancies in the state data reported to federal systems and LEAs data should not exist. ADE has the goal of utilizing this method for FY23 reporting in May 2024.
Anticipated Completion Date: ADE Finance will revise its uploaded FY22 ESSER data template during the allowable period of July 29, 2024, through August 15, 2024.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-013
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, 2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the grant award.
Condition and Context:
To ensure compliance with year three’s ESSER Annual Performance Report (APR), ALA performed a review of line item 5.a – Full-Time Equivalent (FTE) Positions, which is identified in the Compliance Supplement as a key line item, to determine if the information reported was accurate and properly supported with accounting records for Local Educational Agencies (LEAs) and non-LEAs. Agency staff utilized the template provided by the U.S. Department of Education (ED) to upload data to the Annual Reporting Data Collection Tool. The template includes data for the 256 participating LEAs and 41 non-LEAs.
The Agency estimated the FTE position data for non-LEAs based on websites and other available information but did not maintain supporting documentation for the information reported to the federal awarding agency. As a result, ALA staff were unable to verify that the data was accurate and complete.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency did not maintain appropriate supporting documentation.
Effect:
The accuracy of data submitted to the federal awarding agency is unknown.
Recommendation:
ALA staff recommend the Agency strengthen internal controls over the review of special reports to ensure reported data is appropriately supported in accordance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. ADE Finance understands the importance of supporting documentation for non-LEAs and has implemented a plan for FY23 communications. Furthermore, ADE Finance conducted follow-up communication with the U.S. Department of Education (ED) on March 1, 2024. It was concluded that FTE position data for non-LEAs were optional for Years 1 and 2 Annual Performance Reports per the ESSER Form Review Webinar Guidance. ADE was further instructed to omit non-LEA information from the template should it be unreasonable to provide for the FY22 reporting year in question.
ADE will ensure non-LEA entities provide the requested 5.a – Full-Time Equivalent (FTE) Compliance Supplement information for supporting documentation with FY23 and subsequent Reporting Periods.
Anticipated Completion Date: May 2024. ADE Finance is coordinating communication with non-Local Educational Agencies (non-LEAs) in effort to revise the data for FY22, however will omit the related data per U.S. Department of Education (ED) guidance provided on March 1, 2024, should non-LEAs be unable to provide quality data.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-014
State/Educational Agency(s): Arkansas Department of Finance and Administration –
Office of Child Support Enforcement
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.563 – Child Support Enforcement
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 2201ARCSES
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Allowable Costs/Cost Principles;
Cash Management;
Matching, Level of Effort, Earmarking
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
In addition, 45 CFR § 75.403(f) states that factors affecting the allowability of costs include ensuring the costs were not included as a cost of any other federally financed program in either the current or a prior period.
Condition and Context:
During the reconciliation of expenditures, ALA reviewed all miscellaneous revenue and other receipts to determine if the Agency calculated the correct state match and used allowable sources of revenue.
ALA review revealed that the Agency received a one-time transfer from the Coronavirus Aid, Relief and Economic Security (CARES) Act federal program (ALN # 21.019) totaling $760,938. These funds were used to reimburse the Agency’s payroll expenditures, which is allowable. However, the Agency failed to reduce its subsequent request for reimbursement from the Child Support Enforcement program by the $760,938 it had received from CARES Act funds. As a result, the Agency was reimbursed an additional $502,219 ($760,938 x 66%) for the same payroll expenditures from the Child Support Enforcement program, which is unallowable.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$ 502,219
Cause:
The Agency did not remove CARES Act funds used as reimbursement for a portion of payroll expenditures from its subsequent matching calculation for the Child Support Enforcement Program.
Effect:
The Agency received reimbursement in excess of what was allowable resulting in a liability, totaling $502,219, to the federal awarding agency of the Child Support Enforcement Program.
Recommendation:
ALA staff recommend the Agency strengthen internal controls over the affected compliance areas to ensure all costs reimbursed by another federal program are adequately tracked and removed from the reimbursement request for the Child Support Enforcement Program. In addition, ALA staff recommend the Agency contact the federal awarding agency to resolve this matter.
Views of Responsible Officials and Planned Corrective Action:
The agency agrees with the finding. We found an error in the formula of the worksheet used for the preparation and submission of the quarterly expenditure report. The error resulted in not properly reporting the CARES Act reimbursement.
The agency will report to the federal Child Support Services program to account for the over-reimbursement of federal share of expenditures. The error in the specific worksheet that resulted in the over-reporting of allowed expenditures has been corrected. Further, the agency will perform a review of all other subsidiary reports and worksheets that are used in preparation of the federal expenditure reports. This will be done in order to ensure that the federal reports are prepared accurately. Additionally, procedures for review of report preparation will be enhanced to further strengthen internal controls.
Anticipated Completion Date: Correction of the specific worksheet deficiency has been completed. Corrections to the federal reports to account for the over-reimbursement will be completed in the next federal reporting cycle due on May 15, 2024. Review of all other subsidiary reports and worksheets and the enhanced report preparation review is part of an ongoing project to be completed no later than August 15, 2024.
Contact Person: Robert Hallmark
Agency Controller II Agency Controller II
Department of Finance and Administration-Office of Child Support Enforcement
322 S Main St, Suite 100
Little Rock, AR 72201
501-682-6306
Robert.Hallmark@ocse.arkansas.gov
Finding Number: 2023-015
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): Various
Federal Award Year(s): Various
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable.
Criteria:
In accordance with 45 CFR 1356.40(b)(1), the adoption assistance agreement must be signed and in effect at the time of or prior to the final decree of adoption. The adoption assistance agreement is defined at 42 USC 675(3).
Condition and Context:
ALA staff reviewed 60 client adoption files to ensure sufficient, appropriate evidence was provided to support the Agency’s determination of eligibility. The clients selected for testing had adoption legalization dates that spanned from March 2006 to April 2023. The review revealed deficiencies as summarized below:
• One client file, with an adoption legalization date of July 16, 2010, did not contain a signed subsidy agreement. The adoptive parents received monthly subsidy payments from August 2010 - present. Questioned costs representing the federal portion, totaled $51,098, as follows:
$3,281 - SFY 2011
$3,487 - SFY 2012
$3,648 - SFY 2013
$3,702 - SFY 2014
$3.784 - SFY 2015
$3,708 - SFY 2016
$3,684 - SFY 2017
$3,726 - SFY 2018
$3,918 - SFY 2019
$4,190 - SFY 2020
$4,370 - SFY 2021
$4,594 - SFY 2022
$4,637 - SFY 2023
$ 369 - SFY 2024
• Two subsidy agreements, with adoption legalized dates of March 9, 2006, and May 27, 2009, respectively, were signed but not dated by the adoptive parents. However, the agreements were signed and dated by the Division of Child and Family Services (DCFS) Director.
• One subsidy agreement, signed and dated by the adoptive parents and DCFS Director, stated the adoptive family qualified for a “deferred subsidy.” The agreement did not authorize a federal subsidy at the time of adoption. A keying error in the Children’s Reporting and Information System (CHRIS) caused the adoptive family to begin receiving a federal subsidy on the decree of adoption date. The adoptive parents received three unauthorized monthly subsidy payments in state fiscal year 2023. Questioned costs representing the federal portion, totaled $737.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$51,835
Cause:
DCFS did not maintain sufficient records to support the adoption subsidy agreement with the parents of the adopted child.
Effect:
DCFS does not have adequate documentation supporting the eligibility of federal adoption subsidy payments made on behalf of adopted children.
Recommendation:
ALA staff recommend the Agency continue providing adequate communication with and training to appropriate personnel to ensure compliance with program requirements and retention of documentation.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency has updated its documented controls to require confirmation that agreements are signed by all parties before processing adoption subsidy packets. Adoption staff will be trained on the updated controls.
Anticipated Completion Date: 3/31/2024
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-016
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): Various
Federal Award Year(s): Various
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 42 USC § 673 (a)(4)(A) and (B), a payment may not be made to parents with respect to a child if the state determines that the parents are no longer legally responsible for the support of the child or if the state determines that the child is no longer receiving any support from the parents. Parents who have been receiving adoption assistance payments shall keep the state, administering the program, informed of circumstances that would make them ineligible for the payments.
In accordance with 45 CFR § 75.303, a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. These controls should be in compliance with Green Book or COSO guidance.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
Condition and Context:
When an adoptive parent is no longer legally responsible for the support of the child (i.e., death of parent, termination of parental rights, child no longer receiving support from parent), the Adoption Unit must be notified in order to end the adoption subsidy. However, the notifications are not always timely, and the required information entered into the Children’s Reporting and Information System (CHRIS) can be delayed, resulting in payments made to parents past the subsidy end date. As a result, the Agency established internal control procedures to identify these types of payments and the overpayment information is provided to the accounts receivable department for collection.
ALA obtained a report from Division of Children and Family Services (DCFS) staff that contained all subsidy overpayments for the state fiscal year ended June 30, 2023. The report revealed subsidy overpayments for 29 clients with payments made to 22 providers. ALA reviewed documentation for five clients to ensure that the overpayments were researched and properly submitted for collection and that proper collection efforts were made by the accounts receivable department.
ALA review revealed the following deficiencies:
• Three subsidy payments, totaling $1,016, were made on behalf of three children subsequent to the death of the provider. The adoption unit failed to properly research the event to determine if an overpayment had occurred. As a result, questioned costs representing the federal portion, totaled $787.
• Two subsidy payments, totaling $1,170, were made subsequent to the death of one client. The adoption unit failed to properly research the event to determine if an overpayment had occurred. As a result, questioned costs representing the federal portion, totaled $908.
Condition and Context (Continued):
• The Agency did not receive timely notification that parental rights had been terminated for three clients. As a result, 91 subsidy payments, totaling $40,638, were processed in error. A portion of these payments dated back to prior fiscal years 2018 through 2022. Additionally, when discovered, the overpayment information sent to the accounts receivable department for two clients was not complete. Questioned costs representing the federal portion, totaled $30,713, as follows:
$2,837 - SFY 2018
$3,749 - SFY 2019
$4,190 - SFY 2020
$5,738 - SFY 2021
$9,457 - SFY 2022
$4,742 - SFY 2023
The following discoveries contributed to the errors regarding the overpayments for the three clients noted above and are as follows:
• For two of the three clients whose overpayment balance was submitted to Accounts Receivable (A/R) for collection, A/R failed to send the Notice of Collection letters to the providers. The letter is sent via certified mail, and the provider is required to sign for the letter. The signed notice is required before A/R can pursue any legal action to collect the overpayment from the provider.
• For three providers, the subsidy overpayment was recorded in the Agency’s accounts receivable system (AROPTS) as a Foster Care Board overpayment. As a result, the Demand Notice and the Notice to Intercept State Income Tax Refund(s) sent to the provider misrepresented the overpayment as Foster Care instead of Adoption Assistance.
• In one instance, the Demand Notice and the Notice to Intercept State Income Tax Refund(s) sent to the provider included inaccurate overpayment information. Each notice letter included different overpayment information and did not agree to the overpayment amount submitted from the Adoption Unit to A/R.
• One provider submitted a reimbursement totaling $920, but it was not properly recorded by A/R. As a result, the overpayment balance was not appropriately reduced.
Further discussion with the Agency revealed that adjustments have not been made for these overpayments on the quarterly federal financial reports or communicated with the federal awarding agency.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$32,408
Cause:
The internal control process for identifying, researching, calculating, and submitting overpayments to A/R is not adequate. In addition, internal control procedures for processing and collecting overpayments by A/R are not adequate. Finally, the adoption unit is not notified of relevant events timely resulting in the ending of a subsidy.
Effect:
The Division of Children and Family Services does not have an adequate process in place to accurately identify and calculate overpayments and properly notify the Agency’s A/R department that an overpayment has occurred. In addition, the Agency’s A/R department does not have an adequate process in place to effectively and efficiently attempt to collect adoption subsidy overpayments. Finally, the federal awarding agency may require recoupment.
Recommendation:
ALA staff recommend the Agency immediately update its internal control procedures document regarding the overpayment processes and provide relevant training to staff. In addition, ALA staff recommend the Agency immediately develop procedures for notifying the Adoption Unit of the termination of adoptive parent parental rights to ensure subsidy end date information is processed timely.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency has updated its internal controls procedures to require enhanced review of payments made after the death of a provider or a client and enhanced monitoring of when a client is removed from an adoptive parent’s home. The Accounts Receivable Unit in the Office of Finance has implemented systems changes that ensures all claims will generate a collections notice with the correct claims data. The noted outstanding collection notices have been sent and data entry errors have been corrected.
Anticipated Completion Date: Complete
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-017
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): 2301ARADPT; 2201ARADPT; 2101ARADPT
Federal Award Year(s): 2021, 2022, and 2023
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking
Type of Finding: Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over a federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Additionally, 45 CFR 75.342(a) states that a non-federal entity is responsible for the oversight of operations for federal award supported activities. The non-federal entity must monitor its activities to assure compliance with applicable federal requirements.
Since federal fiscal year 2010, federal regulations have required states to apply less restrictive program eligibility requirements to children who meet specific criteria. This can result in additional federal funding and, therefore, a reduction in state costs. Federal regulations at 42 USC 673(a)(8) require the Agency to calculate the amount saved, if any, and spend an equal amount on certain program services. Maintaining this state spending at the appropriate level is referred to as level of effort.
The Agency is also required to spend no less than 30 percent of any such savings on post-adoption services, post guardianship services, and services to support and sustain positive permanent outcomes for children who might otherwise enter the State’s foster care program. The Agency must accurately report these amounts to the federal grantor on the Annual Adoption Savings Report.
Condition and Context:
ALA staff requested the Agency’s internal control procedures over the level of effort – adoption savings requirement. Additionally, ALA staff requested the file tracking the excess funds used as savings. This review revealed the following deficiencies:
• The Agency was unable to provide documented internal controls addressing any of the five elements of COSO for the time period under review.
• The Agency was unable to provide documentation to support that it was monitoring adoption savings activities to ensure compliance with Level of Effort requirements.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency has not established an internal control process for tracking or monitoring state-funded spending and completing the Annual Adoption Savings Report. It is noted that the Division responsible for the report and monitoring the level of effort requirement has recently experienced significant employee turnover.
Effect:
Without a system to accurately account for and record expenditures related to adoption savings, the Agency could not demonstrate it spent the amount reported. Inadequate controls for effectively monitoring compliance could result in failure to meet level of effort requirement and also limit the Agency’s ability to effectively manage the grant.
Recommendation:
ALA staff recommend the Agency establish internal controls to track state-funded spending. In addition, the Agency should establish written policies and procedures specifying how the Agency will determine the amount of adoption assistance savings and subsequent expenditures of those savings to be reported to the grantor. Finally, ALA staff recommend the Agency review maintenance of effort reports to ensure the amount of expenditures reported to the grantor has been accurately determined and is adequately supported.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will develop a procedure to monitor and accurately report adoption savings activities and will submit an updated Adoption Savings Report to correct any previously incorrectly reported amounts.
Anticipated Completion Date: 3/31/2024
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-018
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): 2201ARADPT
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking;
Reporting
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
45 CFR 75.342(a) states that a non-federal entity is responsible for the oversight of operations for federal award supported activities. The non-federal entity must monitor its activities to assure compliance with applicable federal requirements.
Since federal fiscal year 2010, federal regulations have required states to apply less restrictive program eligibility requirements to children who meet specific criteria. This can result in additional federal funding and, therefore, a reduction in state costs. Federal regulations at 42 USC 673(a)(8) require the Agency to calculate the amount saved, if any, and spend an equal amount on certain program services. Maintaining this state spending at the appropriate level is referred to as level of effort.
The Agency is also required to spend no less than 30 percent of any such savings on post-adoption services, post guardianship services, and services to support and sustain positive permanent outcomes for children who might otherwise enter the State’s foster care program. The Agency must accurately report these amounts to the federal grantor on the Annual Adoption Savings Report.
According to the supplemental terms and conditions relating to Title IV-E programs from the federal awarding agency, the Annual Adoption Savings Report (Part 4) must be submitted no later than 30 days following the end of the federal fiscal year (i.e., no later than October 30). (See 45 CFR §201.5 and 45 CFR §1355.30(n)(1).)
Condition and Context:
ALA staff reviewed the Annual Adoption Savings Calculation and Accounting report for period ended September 30, 2022. ALA staff requested documentation supporting the amount spent on program services utilizing the adoption savings to ensure the expenditures were sufficient to equal the savings calculated and reported. This review revealed the following deficiencies:
• The Annual Adoption Savings Report for the period ended September 30, 2022 was incomplete and the data used in preparing the report calculation was not adequately supported.
• The Annual Adoption Savings Report was not submitted within established time constraints.
• The Agency was unable to provide documentation to support that it was tracking the annual adoption savings amounts in order to meet the level of effort compliance requirements.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency has not established an internal control process for tracking or monitoring state-funded spending and completing the Annual Adoption Savings Report. It was noted that the Division responsible for the report and monitoring the level of effort requirement has recently experienced significant employee turnover.
Effect:
Without a system to accurately account for and record expenditures related to adoption savings, the Agency could not demonstrate it spent the amount reported. The grant agreement allows the grantor to take action for noncompliance that can include temporarily withholding funds, wholly or partly suspending or terminating the award, and withholding further awards from the program.
Recommendation:
ALA staff recommend the Agency establish internal controls to track state-funded spending. In addition, the Agency should establish written policies and procedures specifying how the Agency will determine the amount of adoption assistance savings and subsequent expenditures of those savings to be reported to the grantor. Finally, ALA staff recommend the Agency review maintenance of effort reports to ensure the amount of expenditures reported to the grantor has been accurately determined, is adequately supported, and is submitted timely.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will develop a procedure to monitor and accurately report adoption savings activities and will submit an updated Adoption Savings Report to correct any previously incorrectly reported amounts.
Anticipated Completion Date: 3/31/2024
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-019
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Allowable Costs/Cost Principles -
Managed Care Medical Loss Ratio (PASSE and Dental)
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-026.
Criteria:
In a final rule, published in the Federal Register on May 6, 2016 (81 FR 27498), the Centers for Medicare and Medicaid Services (CMS) adopted Medical Loss Ratio (MLR) requirements for Medicaid and Children’s Health Insurance Program (CHIP) managed care programs. One of the requirements is that a state must require each Medicaid managed care plan to calculate and report an MLR for rating periods starting on or after July 1, 2017. Each CHIP managed care plan is required to calculate and report an MLR for rating periods for state fiscal years beginning on or after July 1, 2018.
In accordance with 42 CFR § 438.8(c), if a state elects to mandate a minimum MLR, that minimum must be equal to or higher than 85%. 42 CFR § 438.8(j) indicates that if the state requires a minimum MLR to be met and if it is not met, there must be remittance to the state. Sections 9.3.1, 12.2.1, and 12.2.2 of the Dental Managed Care contracts state that the Dental Managed Care entities must submit a report detailing the calculation of its MLR on the 15th day of August in the year following the completion of each calendar year and that the MLR will be used to enforce a rebate at the end of the year.
Also, per 42 CFR § 438.5(c)(1), states must provide audited financial reports to the actuary, who determines capitation rates, for the three most recent and complete years for the managed care entities. These reports must be specific to the Medicaid contract and in accordance with generally accepted accounting principles and generally accepted auditing standards.
Finally, with regard to capitation rate setting for certain Managed Care Organization (MCO) plans, prior approval must be obtained as required, in accordance with the regulations below:
• 42 CFR § 438.4(b) - Capitation rates for MCOs must be reviewed and approved by CMS as actuarially sound and must be provided to CMS in an approved format and within a timeframe that meets the requirements defined by 42 CFR § 438.7.
• 42 CFR § 438.7(a) - States must submit all MCO rate certifications concurrent with the review and approval process for contracts as specified in 42 CFR § 438.3(a).
• 42 CFR § 438.3(a) - CMS must review and approve all contracts, including those contracts that are not subject to the prior approval requirements in 42 CFR § 438.806. For states seeking approval of contracts prior to a specific effective date, proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract.
• 42 CFR § 438.3(c) - The capitation rate and the receipt of capitation payments under the contract must be specifically identified in the applicable contract submitted for CMS review and approval.
Criteria (Continued):
• 42 CFR § 438.806(b) - For MCO contracts, prior approval by CMS is a condition of Federal Financial Participation (FFP) under any MCO contract that has a value equal to or greater than the following threshold amounts: $1,000,000 for 1998 (the value for all subsequent years is increased by the percentage increase in the consumer price index). FFP is not available in an MCO contract that does not have prior approval from CMS.
Condition and Context:
ALA reviewed the Dental Managed Care program and the Provider-Led Arkansas Shared Savings Entity (PASSE) managed care program for compliance with the various managed care MLR requirements. As a result of procedures performed, the following deficiencies were noted:
Dental Managed Care:
• The calendar year 2021 MLR calculation for one of the two Dental Managed Care entities reflected a remittance, totaling $2,094,667, which was due to the State no later than December 31, 2022. However, the remittance still had not been made as of fieldwork date (November 3, 2023). Total questioned costs related to the federal portion of these expenditures were $1,485,140 and $150,870 for Medicaid and CHIP, respectively.
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the Dental Managed Care program was effective beginning January 1, 2018, audited financial reports from calendar years 2019, 2020, and 2021 for the two Dental Managed Care entities should have been provided.
PASSE:
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the PASSE managed care program was effective beginning March 1, 2019, audited financial reports from calendar years 2019, 2020, and 2021 for three of the four PASSEs should have been provided. (The three PASSEs are AR Total Care, Empower, and Summit’ CareSource did not participate in the PASSE program until calendar year 2022).
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2022 PASSE contracts or rates prior to the start of calendar year 2022. Previously approved calendar year 2021 rates continued to be paid throughout all of calendar year 2022. Documentation obtained shows that the original calendar year 2022 PASSE contracts that were effective through September 30, 2022, were submitted to CMS for approval on January 5, 2021, that PASSE amendments extending the PASSE contracts through December 31, 2022, were submitted to CMS for approval on October 7, 2022, and the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022. Multiple calendar year 2022 rate submissions have occurred since the initial rates were submitted, with the most recent submission occurring on June 21, 2023.
Condition and Context (Continued):
PASSE (Continued):
As of fieldwork date, November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2022 PASSE contracts or rates.
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2023 PASSE contracts or rates prior to the start of calendar year 2023. Previously approved calendar year 2021 rates were initially paid, but were later adjusted to the calendar year 2023 rates. Documentation obtained shows that the calendar year 2023 PASSE contracts and rates were submitted to CMS for approval on November 28, 2022. As of fieldwork date of November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2023 PASSE contracts or rates.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,485,140 (Medicaid)
$ 150,870 (CHIP)
Cause:
The Agency did not adequately develop or implement procedures to ensure that the various managed care MLR requirements were met.
Effect:
Failure to adequately develop and implement appropriate internal control procedures limits the Agency’s ability to adequately monitor the program to ensure compliance.
Recommendation:
ALA staff recommend the Agency develop and implement control procedures for managed care MLR requirements for both the Dental and PASSE managed care programs to ensure that the required audited financial reports are provided; calculated Dental Managed Care MLR remittances due are received timely, in accordance with the terms and conditions included in the Dental Managed Care contracts; and PASSE contracts and capitation rates receive prior approval from CMS as required.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, this finding. The noted MLR remittance was submitted for collection on December 12, 2023. The agency has developed and implemented a process to collect all MLR rebates through monthly capitation payments. The agency will amend its Dental Managed Care contract to address this recoupment process.
The agency has provided its actuary with the audited financial statements for all Dental Managed Care and PASSE entities dating back to the beginning of these programs and will update its internal control to clarify the process for calculating the three years of reports that must be submitted to the actuary.
The agency disagrees that approved contracted rates were not being used for calendar year 2022. 42 CFR § 438.4(b) only requires that capitation rates be set at an actuarially sound rate for a specified time period. The requirement to receive approval for capitated rates does not mean that states are required to use previously approved rates from a prior year until a new one is approved. Actuarial best practices dictate that it is not appropriate to pay actuarial rates developed for a prior time period because there may be material differences in trend rates, covered benefits, provider reimbursement, and covered populations. Instead, it is optimal to use rates specifically developed for the applicable time limit even if CMS has not approved the rates. By using this approach, the agency ensures that it is paying MCO’s and PASSE’s capitation rates developed to be consistent with their financial responsibilities. Continued adherence to this practice is necessary as CMS consistently approves rates well after the beginning of the contract year. While CMS approval is beyond the agency’s control, agency controls and contracts have been updated to ensure rates and contracts are submitted 90 days prior to the start of the contract year.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA agrees that the actuary was provided with the audited financials. However, 42 CFR § 438.5(c)(1), states that the audited financial reports are to be those as defined at 42 CFR § 438.3(m), which those provided were not. See finding 2023-023 for further details.
ALA agrees that continuing to pay rates from a prior year until a new one is approved is also not appropriate. As a MCO plan, PASSE contracts and rates must receive prior CMS approval. No documentation was provided to show that this was obtained for calendar years 2022 and 2023.
Finally, although the timeliness of receiving CMS approval is ultimately beyond the agency’s control, 42 CFR § 438.3(a) indicates that proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract. As noted above, based upon documentation provided, the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022, and the initial calendar year 2023 rates were submitted to CMS for approval on November 28, 2022.
Finding Number: 2023-019
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Allowable Costs/Cost Principles -
Managed Care Medical Loss Ratio (PASSE and Dental)
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-026.
Criteria:
In a final rule, published in the Federal Register on May 6, 2016 (81 FR 27498), the Centers for Medicare and Medicaid Services (CMS) adopted Medical Loss Ratio (MLR) requirements for Medicaid and Children’s Health Insurance Program (CHIP) managed care programs. One of the requirements is that a state must require each Medicaid managed care plan to calculate and report an MLR for rating periods starting on or after July 1, 2017. Each CHIP managed care plan is required to calculate and report an MLR for rating periods for state fiscal years beginning on or after July 1, 2018.
In accordance with 42 CFR § 438.8(c), if a state elects to mandate a minimum MLR, that minimum must be equal to or higher than 85%. 42 CFR § 438.8(j) indicates that if the state requires a minimum MLR to be met and if it is not met, there must be remittance to the state. Sections 9.3.1, 12.2.1, and 12.2.2 of the Dental Managed Care contracts state that the Dental Managed Care entities must submit a report detailing the calculation of its MLR on the 15th day of August in the year following the completion of each calendar year and that the MLR will be used to enforce a rebate at the end of the year.
Also, per 42 CFR § 438.5(c)(1), states must provide audited financial reports to the actuary, who determines capitation rates, for the three most recent and complete years for the managed care entities. These reports must be specific to the Medicaid contract and in accordance with generally accepted accounting principles and generally accepted auditing standards.
Finally, with regard to capitation rate setting for certain Managed Care Organization (MCO) plans, prior approval must be obtained as required, in accordance with the regulations below:
• 42 CFR § 438.4(b) - Capitation rates for MCOs must be reviewed and approved by CMS as actuarially sound and must be provided to CMS in an approved format and within a timeframe that meets the requirements defined by 42 CFR § 438.7.
• 42 CFR § 438.7(a) - States must submit all MCO rate certifications concurrent with the review and approval process for contracts as specified in 42 CFR § 438.3(a).
• 42 CFR § 438.3(a) - CMS must review and approve all contracts, including those contracts that are not subject to the prior approval requirements in 42 CFR § 438.806. For states seeking approval of contracts prior to a specific effective date, proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract.
• 42 CFR § 438.3(c) - The capitation rate and the receipt of capitation payments under the contract must be specifically identified in the applicable contract submitted for CMS review and approval.
Criteria (Continued):
• 42 CFR § 438.806(b) - For MCO contracts, prior approval by CMS is a condition of Federal Financial Participation (FFP) under any MCO contract that has a value equal to or greater than the following threshold amounts: $1,000,000 for 1998 (the value for all subsequent years is increased by the percentage increase in the consumer price index). FFP is not available in an MCO contract that does not have prior approval from CMS.
Condition and Context:
ALA reviewed the Dental Managed Care program and the Provider-Led Arkansas Shared Savings Entity (PASSE) managed care program for compliance with the various managed care MLR requirements. As a result of procedures performed, the following deficiencies were noted:
Dental Managed Care:
• The calendar year 2021 MLR calculation for one of the two Dental Managed Care entities reflected a remittance, totaling $2,094,667, which was due to the State no later than December 31, 2022. However, the remittance still had not been made as of fieldwork date (November 3, 2023). Total questioned costs related to the federal portion of these expenditures were $1,485,140 and $150,870 for Medicaid and CHIP, respectively.
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the Dental Managed Care program was effective beginning January 1, 2018, audited financial reports from calendar years 2019, 2020, and 2021 for the two Dental Managed Care entities should have been provided.
PASSE:
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the PASSE managed care program was effective beginning March 1, 2019, audited financial reports from calendar years 2019, 2020, and 2021 for three of the four PASSEs should have been provided. (The three PASSEs are AR Total Care, Empower, and Summit’ CareSource did not participate in the PASSE program until calendar year 2022).
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2022 PASSE contracts or rates prior to the start of calendar year 2022. Previously approved calendar year 2021 rates continued to be paid throughout all of calendar year 2022. Documentation obtained shows that the original calendar year 2022 PASSE contracts that were effective through September 30, 2022, were submitted to CMS for approval on January 5, 2021, that PASSE amendments extending the PASSE contracts through December 31, 2022, were submitted to CMS for approval on October 7, 2022, and the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022. Multiple calendar year 2022 rate submissions have occurred since the initial rates were submitted, with the most recent submission occurring on June 21, 2023.
Condition and Context (Continued):
PASSE (Continued):
As of fieldwork date, November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2022 PASSE contracts or rates.
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2023 PASSE contracts or rates prior to the start of calendar year 2023. Previously approved calendar year 2021 rates were initially paid, but were later adjusted to the calendar year 2023 rates. Documentation obtained shows that the calendar year 2023 PASSE contracts and rates were submitted to CMS for approval on November 28, 2022. As of fieldwork date of November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2023 PASSE contracts or rates.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,485,140 (Medicaid)
$ 150,870 (CHIP)
Cause:
The Agency did not adequately develop or implement procedures to ensure that the various managed care MLR requirements were met.
Effect:
Failure to adequately develop and implement appropriate internal control procedures limits the Agency’s ability to adequately monitor the program to ensure compliance.
Recommendation:
ALA staff recommend the Agency develop and implement control procedures for managed care MLR requirements for both the Dental and PASSE managed care programs to ensure that the required audited financial reports are provided; calculated Dental Managed Care MLR remittances due are received timely, in accordance with the terms and conditions included in the Dental Managed Care contracts; and PASSE contracts and capitation rates receive prior approval from CMS as required.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, this finding. The noted MLR remittance was submitted for collection on December 12, 2023. The agency has developed and implemented a process to collect all MLR rebates through monthly capitation payments. The agency will amend its Dental Managed Care contract to address this recoupment process.
The agency has provided its actuary with the audited financial statements for all Dental Managed Care and PASSE entities dating back to the beginning of these programs and will update its internal control to clarify the process for calculating the three years of reports that must be submitted to the actuary.
The agency disagrees that approved contracted rates were not being used for calendar year 2022. 42 CFR § 438.4(b) only requires that capitation rates be set at an actuarially sound rate for a specified time period. The requirement to receive approval for capitated rates does not mean that states are required to use previously approved rates from a prior year until a new one is approved. Actuarial best practices dictate that it is not appropriate to pay actuarial rates developed for a prior time period because there may be material differences in trend rates, covered benefits, provider reimbursement, and covered populations. Instead, it is optimal to use rates specifically developed for the applicable time limit even if CMS has not approved the rates. By using this approach, the agency ensures that it is paying MCO’s and PASSE’s capitation rates developed to be consistent with their financial responsibilities. Continued adherence to this practice is necessary as CMS consistently approves rates well after the beginning of the contract year. While CMS approval is beyond the agency’s control, agency controls and contracts have been updated to ensure rates and contracts are submitted 90 days prior to the start of the contract year.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA agrees that the actuary was provided with the audited financials. However, 42 CFR § 438.5(c)(1), states that the audited financial reports are to be those as defined at 42 CFR § 438.3(m), which those provided were not. See finding 2023-023 for further details.
ALA agrees that continuing to pay rates from a prior year until a new one is approved is also not appropriate. As a MCO plan, PASSE contracts and rates must receive prior CMS approval. No documentation was provided to show that this was obtained for calendar years 2022 and 2023.
Finally, although the timeliness of receiving CMS approval is ultimately beyond the agency’s control, 42 CFR § 438.3(a) indicates that proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract. As noted above, based upon documentation provided, the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022, and the initial calendar year 2023 rates were submitted to CMS for approval on November 28, 2022.
Finding Number: 2023-020
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-023.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
Also, 42 CFR 435.945(d), states that all Medicaid state eligibility determination systems must conduct data matching through the Public Assistance Reporting Information System (PARIS).
Condition and Context:
PARIS is a data matching service that identifies recipients of public assistance who receive duplicate benefits in two or more states, in order to help detect improper payments. This system is administered by the Office of the Administration for Children and Families (ACF) within the U.S. Department of Health and Human Services.
ALA selected two quarters from state fiscal year 2023 for review to ensure that the Agency participated in the interstate PARIS match and to determine that adequate supporting documentation was available to demonstrate that the Agency adequately reviewed identified matches and determined whether those recipients were currently residing in Arkansas and, therefore, properly received benefits under the Arkansas Medicaid or CHIP programs.
ALA review confirmed that the Agency participated in the PARIS match for the two quarters selected for testing (i.e., November 2022 and May 2023).
ALA then selected a sample of 20 recipients (10 recipient cases from each selected quarterly report) that were flagged as receiving Medicaid or CHIP benefits in Arkansas and another state to determine if those cases were reviewed. ALA testing of PARIS match results revealed one recipient with an open Medicaid case in both Arkansas and another state. The match was based on the recipient’s name, date of birth, and social security number. Information related to this match was not uploaded to the ARIES eligibility system because of a system coding issue; therefore, the recipient’s case was not reviewed to determine if the recipient met the residency requirement.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The ARIES system logic excluded PARIS match results from being uploaded into the system when any address line field was left blank. For example, if “Address line 1” on the PARIS match report was empty, system logic did not consider information recorded on “Address line 2,” which could confirm the recipient’s out of state address. According to the Division of County Operations (DCO), PARIS matching system logic within ARIES will need to be adjusted to ensure these types of cases are identified in the future.
Effect:
Failure to review the PARIS interstate matches could result in the Agency not identifying individuals who are no longer residents of Arkansas and, as a result, are ineligible to receive benefits under the Arkansas Medicaid or CHIP programs. Improper payments could be made on behalf of ineligible recipients.
Recommendation:
ALA staff recommend the Agency develop system controls in ARIES to ensure that all PARIS interstate match data received by the State is used when determining whether Medicaid benefits are dually active in Arkansas and another state. This will ensure the recipients qualify for continued eligibility coverage.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. ARIES system logic has been updated to consider all information recorded in the PARIS match reports when identifying cases for review.
Anticipated Completion Date: Complete
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-020
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-023.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
Also, 42 CFR 435.945(d), states that all Medicaid state eligibility determination systems must conduct data matching through the Public Assistance Reporting Information System (PARIS).
Condition and Context:
PARIS is a data matching service that identifies recipients of public assistance who receive duplicate benefits in two or more states, in order to help detect improper payments. This system is administered by the Office of the Administration for Children and Families (ACF) within the U.S. Department of Health and Human Services.
ALA selected two quarters from state fiscal year 2023 for review to ensure that the Agency participated in the interstate PARIS match and to determine that adequate supporting documentation was available to demonstrate that the Agency adequately reviewed identified matches and determined whether those recipients were currently residing in Arkansas and, therefore, properly received benefits under the Arkansas Medicaid or CHIP programs.
ALA review confirmed that the Agency participated in the PARIS match for the two quarters selected for testing (i.e., November 2022 and May 2023).
ALA then selected a sample of 20 recipients (10 recipient cases from each selected quarterly report) that were flagged as receiving Medicaid or CHIP benefits in Arkansas and another state to determine if those cases were reviewed. ALA testing of PARIS match results revealed one recipient with an open Medicaid case in both Arkansas and another state. The match was based on the recipient’s name, date of birth, and social security number. Information related to this match was not uploaded to the ARIES eligibility system because of a system coding issue; therefore, the recipient’s case was not reviewed to determine if the recipient met the residency requirement.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The ARIES system logic excluded PARIS match results from being uploaded into the system when any address line field was left blank. For example, if “Address line 1” on the PARIS match report was empty, system logic did not consider information recorded on “Address line 2,” which could confirm the recipient’s out of state address. According to the Division of County Operations (DCO), PARIS matching system logic within ARIES will need to be adjusted to ensure these types of cases are identified in the future.
Effect:
Failure to review the PARIS interstate matches could result in the Agency not identifying individuals who are no longer residents of Arkansas and, as a result, are ineligible to receive benefits under the Arkansas Medicaid or CHIP programs. Improper payments could be made on behalf of ineligible recipients.
Recommendation:
ALA staff recommend the Agency develop system controls in ARIES to ensure that all PARIS interstate match data received by the State is used when determining whether Medicaid benefits are dually active in Arkansas and another state. This will ensure the recipients qualify for continued eligibility coverage.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. ARIES system logic has been updated to consider all information recorded in the PARIS match reports when identifying cases for review.
Anticipated Completion Date: Complete
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-021
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR3002
(Children’s Health Insurance Program)
05-2305AR5ADM; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year findings 2022-024.
Criteria:
In accordance with 45 CFR § 95.507(4), the Agency’s established Cost Allocation Plan is required to contain sufficient information in such detail to permit the Director – Division of Cost Allocation, after consulting with the Operating Divisions, to make an informed judgment on the correctness and fairness of the State’s procedures for identifying, measuring, and allocating all costs to each of the programs operated by the Agency.
42 CFR §§ 433.10 and 433.15 established rates to be used to calculate non-administrative and administrative state match and require that the state pay part of the costs for providing and administering the Medical Assistance Program (MAP) and the Children’s Health Insurance Program (CHIP).
Condition and Context:
Medicaid:
ALA selected seven days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the seven days selected totaled $41,444,396. Of this amount, ALA staff were able to confirm allowable funding sources for $17,699,441 but were unable to confirm allowable funding sources for the balance totaling $23,744,955.
CHIP:
ALA selected two days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the two days selected totaled $772,427. Of this amount, ALA staff were able to confirm allowable funding sources for $364,794 but unable to confirm allowable funding sources for the balance totaling $407,633.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
MAP - $23,744,955
CHIP - $407,633
Cause:
In response to prior-year findings, the Agency implemented new procedures to include AASIS coding detail in the Funds Management Ledger and in AASIS transfer entries to allow for improved monitoring of funding sources by program. However, the new procedures were not implemented until June 2023. Although ALA was able to perform testing and determine the new procedures were implemented, many funding sources, including both state general revenues and other non-federal revenue sources are transferred to paying funds immediately when they become available. As such, the Agency had not implemented the new procedures at the time the funds were initially transferred; therefore, these entries did not include the needed detail to determine the source of funds.
Cause (Continued):
ALA further noted, as stated in prior-year audit findings, the Agency utilizes a Lotus ledger system to monitor source of funds by AASIS fund. ALA reviewed reports from this system and identified many errors, including incorrect amounts, misclassified funding source, and discrepancies between prior-month ending balances and current-month beginning balances. Therefore, ALA determined the reports could not be relied upon to verify allowable source of funds.
Effect:
The Agency’s inadequate controls resulted in a failure to document the required state match and could limit the Agency’s resources to ensure the State can continue to provide benefits.
Recommendation:
ALA staff recommend the Agency continue to strengthen procedures and implement appropriate controls to allow the Agency to track funding sources used to meet state match requirements for federal programs.
Views of Responsible Officials and Planned Corrective Action:
DHS disputes this finding. All funds used as match for administrative and program expenditures were from an allowable funding source. The agency confirmed that the Arkansas Medicaid Program Trust Fund, which funds all bank accounts used for administrative and program expenditures for Medicaid and CHIP, is only funded with statutorily allowed revenues. The complex nature of Medicaid and CHIP finance and frequency of transactions necessitates paying accounts be sufficiently funded to pay all costs associated with administering the programs. This often results in accounts carrying a fund balance that does not require the agency to draw down additional state general revenue or other non-federal funds to meet its state match obligation. While the agency disagrees that a dollar-for-dollar reconciliation of funding draws is the appropriate way to confirm program expenditures are from an allowable source, we continue to update our general ledger system to improve the ability to monitor state general revenues and other non-federal federal revenue sources used to match federal funding.
Anticipated Completion Date: Complete
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer
Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Additional Comments from the Auditor:
As noted in prior year findings related to state matching requirements, the Agency does not maintain documentation identifying the original source of revenues for the category “other non-federal.” Additionally, the Arkansas Administrative Statewide Information System (AASIS) does not include functionality to identify the revenue source for monies previously transferred to the AASIS paying funds; therefore, the Agency utilizes an outside accounting system, Lotus 1-2-3, to maintain and trace federal revenue, state general revenue and other non-federal funds available. ALA further notes Agency staff manually key information into this system daily; however, no reviews or other controls are in place to ensure the accuracy of the funding category balances. ALA review of the June 2023 reports from the Lotus system revealed multiple errors as identified in the “Cause” section of the finding above. ALA also performed a review of division level monitoring of revenue sources. Per this review, the Agency’s monitoring procedures are performed at the division level and are not broken out to the federal program level. Therefore, ALA was unable to verify the funds used to the meet the State matching requirements were from an appropriate funding source.
Finding Number: 2023-021
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR3002
(Children’s Health Insurance Program)
05-2305AR5ADM; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year findings 2022-024.
Criteria:
In accordance with 45 CFR § 95.507(4), the Agency’s established Cost Allocation Plan is required to contain sufficient information in such detail to permit the Director – Division of Cost Allocation, after consulting with the Operating Divisions, to make an informed judgment on the correctness and fairness of the State’s procedures for identifying, measuring, and allocating all costs to each of the programs operated by the Agency.
42 CFR §§ 433.10 and 433.15 established rates to be used to calculate non-administrative and administrative state match and require that the state pay part of the costs for providing and administering the Medical Assistance Program (MAP) and the Children’s Health Insurance Program (CHIP).
Condition and Context:
Medicaid:
ALA selected seven days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the seven days selected totaled $41,444,396. Of this amount, ALA staff were able to confirm allowable funding sources for $17,699,441 but were unable to confirm allowable funding sources for the balance totaling $23,744,955.
CHIP:
ALA selected two days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the two days selected totaled $772,427. Of this amount, ALA staff were able to confirm allowable funding sources for $364,794 but unable to confirm allowable funding sources for the balance totaling $407,633.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
MAP - $23,744,955
CHIP - $407,633
Cause:
In response to prior-year findings, the Agency implemented new procedures to include AASIS coding detail in the Funds Management Ledger and in AASIS transfer entries to allow for improved monitoring of funding sources by program. However, the new procedures were not implemented until June 2023. Although ALA was able to perform testing and determine the new procedures were implemented, many funding sources, including both state general revenues and other non-federal revenue sources are transferred to paying funds immediately when they become available. As such, the Agency had not implemented the new procedures at the time the funds were initially transferred; therefore, these entries did not include the needed detail to determine the source of funds.
Cause (Continued):
ALA further noted, as stated in prior-year audit findings, the Agency utilizes a Lotus ledger system to monitor source of funds by AASIS fund. ALA reviewed reports from this system and identified many errors, including incorrect amounts, misclassified funding source, and discrepancies between prior-month ending balances and current-month beginning balances. Therefore, ALA determined the reports could not be relied upon to verify allowable source of funds.
Effect:
The Agency’s inadequate controls resulted in a failure to document the required state match and could limit the Agency’s resources to ensure the State can continue to provide benefits.
Recommendation:
ALA staff recommend the Agency continue to strengthen procedures and implement appropriate controls to allow the Agency to track funding sources used to meet state match requirements for federal programs.
Views of Responsible Officials and Planned Corrective Action:
DHS disputes this finding. All funds used as match for administrative and program expenditures were from an allowable funding source. The agency confirmed that the Arkansas Medicaid Program Trust Fund, which funds all bank accounts used for administrative and program expenditures for Medicaid and CHIP, is only funded with statutorily allowed revenues. The complex nature of Medicaid and CHIP finance and frequency of transactions necessitates paying accounts be sufficiently funded to pay all costs associated with administering the programs. This often results in accounts carrying a fund balance that does not require the agency to draw down additional state general revenue or other non-federal funds to meet its state match obligation. While the agency disagrees that a dollar-for-dollar reconciliation of funding draws is the appropriate way to confirm program expenditures are from an allowable source, we continue to update our general ledger system to improve the ability to monitor state general revenues and other non-federal federal revenue sources used to match federal funding.
Anticipated Completion Date: Complete
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer
Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Additional Comments from the Auditor:
As noted in prior year findings related to state matching requirements, the Agency does not maintain documentation identifying the original source of revenues for the category “other non-federal.” Additionally, the Arkansas Administrative Statewide Information System (AASIS) does not include functionality to identify the revenue source for monies previously transferred to the AASIS paying funds; therefore, the Agency utilizes an outside accounting system, Lotus 1-2-3, to maintain and trace federal revenue, state general revenue and other non-federal funds available. ALA further notes Agency staff manually key information into this system daily; however, no reviews or other controls are in place to ensure the accuracy of the funding category balances. ALA review of the June 2023 reports from the Lotus system revealed multiple errors as identified in the “Cause” section of the finding above. ALA also performed a review of division level monitoring of revenue sources. Per this review, the Agency’s monitoring procedures are performed at the division level and are not broken out to the federal program level. Therefore, ALA was unable to verify the funds used to the meet the State matching requirements were from an appropriate funding source.
Finding Number: 2023-022
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Reporting
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-033.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and terms and conditions of the award.
The Agency’s controls include the establishment of written procedures for identifying and properly reporting expenditures on the quarterly CMS-64 and CMS-21 reports. Established written procedures ensure the Agency can prepare reports accurately and timely in instances of system issues or staff changes.
Additionally, the Agency completes reconciliations of Total Medical Service Expenditures per CMS-64 and CMS-21 reports to the Quarterly Cost Allocation Reports. The reconciliations help to ensure that expenditures are accurately reported.
Finally, 42 CFR 430.30(c) requires submission of a quarterly CMS-64 for the Medical Assistance Program (MAP) no later than 30 days after the end of each quarter. Amounts reported on the CMS-64 must be an accurate and complete accounting of actual expenditures.
Condition and Context:
ALA reviewed written procedures for the CHIP and Medicaid reporting workbooks for the quarters ended September 30, 2022 and March 31, 2023. Reporting instructions were included for each workbook. However, the instructions had not been updated to cover all current items in the workbooks, making the control ineffective.
The Agency’s quarterly reconciliations of total reported expenditures to cost allocation reports for the quarters previously mentioned were also reviewed. ALA review revealed the Agency failed to identify and explain a significant portion of the noted variance between the Agency’s accounting system and reported expenditures for the quarter ended September 30, 2022.
The unexplained portion of the variance totaled $108.1 million (5.92% of total reported expenditures) for the Medicaid program and totaled $8.2 million (21.37% of total reported expenditures) for CHIP. Therefore, the reconciliation is not considered effective as the variances were not adequately explained.
Condition and Context (Continued):
Additionally, ALA staff performed testing of expenditures reported on the CMS-64 for the quarters ending September 30, 2022, and March 31, 2023, to confirm accuracy and completeness with the expenditures recorded in the Agency’s financial management system. ALA review revealed the following errors:
• From the September 30, 2022, CMS-64 report, 25 line items totaling $1,912,069,973 and representing 91.52% of MAP expenditures were selected. ALA identified uncorrected errors affecting three line items, resulting in a net understatement of the federal portion of expenditures totaling $87,676.
• From the March 31, 2023, CMS-64 report, 24 line items totaling $2,044,925,178 and representing 90.54% of MAP expenditures were selected. ALA identified uncorrected errors affecting two line items, resulting in a net overstatement of the federal portion of expenditures totaling $53,907.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $87,676
Overstated amount - $53,907
Cause:
The Agency did not adequately perform the implemented control activities to ensure they were operating effectively. In addition, the Agency failed to adequately review report line calculations for accuracy prior to submitting the quarterly reports
Effect:
The Agency’s control procedures to ensure quarterly reports are completed timely and accurately may not be effective in preventing, detecting, and correcting expenditure reporting errors.
Expenditure amounts reported on the CMS-64 were misstated for the MAP, resulting in the Agency claiming incorrect federal funding amounts for the expenditures.
Recommendation:
ALA staff recommend the Agency update reporting instructions for CHIP and Medicaid workbooks to ensure reports are prepared timely and accurately. ALA further recommends the Agency ensure any large variances have an explanation when reconciling reported amounts to cost allocation to ensure expenditures are correctly reported.
Additionally, ALA staff recommend the Agency perform a thorough review of report calculations for accuracy prior to submitting the quarterly reports; review and verify the accuracy of the supporting documentation for all manual adjustments; and correct identified errors by entering prior period adjustments on subsequent CMS-64 reports.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will update its written reporting instructions for Medicaid and CHIP to cover all items in the report workbooks. After the conclusion of the audit testing, the agency confirmed that the noted variance between the agency’s accounting system and reported expenditures for the quarter ended September 30, 2022, was below the 5% threshold which requires an explanation to be provided to CMS financial analysts. The agency has reassigned resources to the Medicaid reporting section which will allow for additional time to spend researching variances identified in quarterly reconciliations. The agency also confirmed that the understatement of the federal portion of the September 30, 2022, CMS-64 report was $10,582, and the overstatement of the federal portion of the of the March 31, 2023, CMS-64 report was $30,664. The agency will correct these errors through an adjustment on an upcoming submission of the CMS-64 report.
Anticipated Completion Date: 7/31/2024
Contact Person: Jason Callan
Medicaid Chief Financial Officer
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-320-6540
Jason.Callan@dhs.arkansas.gov
Finding Number: 2023-022
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Reporting
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-033.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and terms and conditions of the award.
The Agency’s controls include the establishment of written procedures for identifying and properly reporting expenditures on the quarterly CMS-64 and CMS-21 reports. Established written procedures ensure the Agency can prepare reports accurately and timely in instances of system issues or staff changes.
Additionally, the Agency completes reconciliations of Total Medical Service Expenditures per CMS-64 and CMS-21 reports to the Quarterly Cost Allocation Reports. The reconciliations help to ensure that expenditures are accurately reported.
Finally, 42 CFR 430.30(c) requires submission of a quarterly CMS-64 for the Medical Assistance Program (MAP) no later than 30 days after the end of each quarter. Amounts reported on the CMS-64 must be an accurate and complete accounting of actual expenditures.
Condition and Context:
ALA reviewed written procedures for the CHIP and Medicaid reporting workbooks for the quarters ended September 30, 2022 and March 31, 2023. Reporting instructions were included for each workbook. However, the instructions had not been updated to cover all current items in the workbooks, making the control ineffective.
The Agency’s quarterly reconciliations of total reported expenditures to cost allocation reports for the quarters previously mentioned were also reviewed. ALA review revealed the Agency failed to identify and explain a significant portion of the noted variance between the Agency’s accounting system and reported expenditures for the quarter ended September 30, 2022.
The unexplained portion of the variance totaled $108.1 million (5.92% of total reported expenditures) for the Medicaid program and totaled $8.2 million (21.37% of total reported expenditures) for CHIP. Therefore, the reconciliation is not considered effective as the variances were not adequately explained.
Condition and Context (Continued):
Additionally, ALA staff performed testing of expenditures reported on the CMS-64 for the quarters ending September 30, 2022, and March 31, 2023, to confirm accuracy and completeness with the expenditures recorded in the Agency’s financial management system. ALA review revealed the following errors:
• From the September 30, 2022, CMS-64 report, 25 line items totaling $1,912,069,973 and representing 91.52% of MAP expenditures were selected. ALA identified uncorrected errors affecting three line items, resulting in a net understatement of the federal portion of expenditures totaling $87,676.
• From the March 31, 2023, CMS-64 report, 24 line items totaling $2,044,925,178 and representing 90.54% of MAP expenditures were selected. ALA identified uncorrected errors affecting two line items, resulting in a net overstatement of the federal portion of expenditures totaling $53,907.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $87,676
Overstated amount - $53,907
Cause:
The Agency did not adequately perform the implemented control activities to ensure they were operating effectively. In addition, the Agency failed to adequately review report line calculations for accuracy prior to submitting the quarterly reports
Effect:
The Agency’s control procedures to ensure quarterly reports are completed timely and accurately may not be effective in preventing, detecting, and correcting expenditure reporting errors.
Expenditure amounts reported on the CMS-64 were misstated for the MAP, resulting in the Agency claiming incorrect federal funding amounts for the expenditures.
Recommendation:
ALA staff recommend the Agency update reporting instructions for CHIP and Medicaid workbooks to ensure reports are prepared timely and accurately. ALA further recommends the Agency ensure any large variances have an explanation when reconciling reported amounts to cost allocation to ensure expenditures are correctly reported.
Additionally, ALA staff recommend the Agency perform a thorough review of report calculations for accuracy prior to submitting the quarterly reports; review and verify the accuracy of the supporting documentation for all manual adjustments; and correct identified errors by entering prior period adjustments on subsequent CMS-64 reports.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will update its written reporting instructions for Medicaid and CHIP to cover all items in the report workbooks. After the conclusion of the audit testing, the agency confirmed that the noted variance between the agency’s accounting system and reported expenditures for the quarter ended September 30, 2022, was below the 5% threshold which requires an explanation to be provided to CMS financial analysts. The agency has reassigned resources to the Medicaid reporting section which will allow for additional time to spend researching variances identified in quarterly reconciliations. The agency also confirmed that the understatement of the federal portion of the September 30, 2022, CMS-64 report was $10,582, and the overstatement of the federal portion of the of the March 31, 2023, CMS-64 report was $30,664. The agency will correct these errors through an adjustment on an upcoming submission of the CMS-64 report.
Anticipated Completion Date: 7/31/2024
Contact Person: Jason Callan
Medicaid Chief Financial Officer
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-320-6540
Jason.Callan@dhs.arkansas.gov
Finding Number: 2023-023
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Managed Care Financial Audits (PASSE and Dental)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-025.
Criteria:
45 CFR § 75.303 states that a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. These controls should be in compliance with Green Book or COSO guidance.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
In addition, 42 CFR § 438.3 (m) states that managed care contracts must require Managed Care Organizations (MCOs), Prepaid Inpatient Health Plans (PIHPs), and Prepaid Ambulatory Health Plans (PAHPs) to annually submit audited financial reports that are conducted in accordance with generally accepted accounting principles and generally accepted auditing standards specific to the Medicaid contract.
Condition and Context:
ALA performed testing to determine if there was sufficient, adequate language in the managed care contracts and agreements for Provider-Led Arkansas Shares Savings Entity (PASSE) and Dental Managed Care regarding audited financial reports. ALA review revealed that adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Although the Agency has taken steps to update the contract to include this language, as of fieldwork performed in September 2023, the contracts still had not been formally updated.
In addition, ALA performed testing to ensure that the annual audited financial reports were performed for the applicable managed care program entities and that the reports were in compliance with federal regulations.
Four MCOs participated in the PASSE managed care program, and two dental managed care entities participated in the Dental Managed Care program during calendar year 2022. These entities would have been required to submit audited financial reports.
The results of ALA testing revealed that although audited financial reports were provided by all PASSE and dental managed care entities, all four PASSE entities’ reports and both dental managed care entities’ reports were not in accordance with generally accepted accounting principles. In addition, the audits for the two dental managed care entities were not specific to the Medicaid contract.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not adequately develop control procedures for its staff to ensure that adequate language was contained in the Dental Managed Care contract regarding audited financial reports. In addition, the Agency did not adequately monitor the submission of reports to ensure they complied with federal regulations.
Effect:
Failure to implement appropriate procedures for internal control limits the Agency’s ability to adequately monitor the programs for possible noncompliance. In addition, failure to monitor the adequacy of the reports submitted led to the Agency not identifying that the reports received did not comply with federal regulations.
Recommendation:
ALA staff recommend the Agency update the language in the Dental Managed Care contract to require audited financial reports, in accordance with 42 CFR § § 438.3(m). In addition, the Agency should strengthen monitoring controls to ensure that all reports received are in compliance with requirements included in the federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, the finding. DHS has submitted and received approval from CMS for changes to the Dental Managed Care contract that requires the completion of annual audited financial reports. The agency disagrees that the audited financial reports submitted by the PASSE and Dental Managed Care Organizations (DMO) do not comply with 42 CFR 438.3(M). CMS guidance pertaining to that regulation provides that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. The Arkansas Insurance Department also requires insurers to submit annual audited financial statements. Ark. Code Ann. 23-61-108 requires PASSE’s and DMO’s to follow the National Association of Insurance Commissioners Accounting Practices and Procedures Manual. DHS interprets 42 CFR 438.3(M) and its related guidance to permit the State Medicaid Agency flexibility to adopt the same accounting principles as the State Insurance Agency. As a practical matter, DHS reviewed the use of the audited financial statements and the information necessary to be contained within those statements. DMS discussed the use of the audited financial statements with the External Quality Review Organization (EQRO) that performs our External Quality Review. The EQRO confirmed that audited financial statements that complied with the Arkansas statutory basis would be satisfactory for review purposes.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA cannot confirm the specific CMS guidance that the Agency is referring to as it was not provided to auditors during fieldwork. However, auditors did discuss a particular question and answer, item 10, included in the CMS Medicaid and CHIP Managed Care Final Rule (CMS-2390-F) Frequently Asked Questions (FAQs) dated November 10, 2016, with the Agency. This item indicates that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. During SFY23, the PASSE agreements (section 11.1.9) required that the audited financials be in accordance with GAAP and GAAS. As noted above, ALA review revealed that during SFY23, adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Auditors agree that once the terms of the PASSE and Dental contracts are updated to require that audited financials be on the statutory basis, that there will no longer be non-compliance noted related to the financials not being in accordance with GAAP. However, regardless of the specific basis, 42 CFR § 438.3(m) still requires that financials be specific to the Medicaid contract.
Finding Number: 2023-023
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Managed Care Financial Audits (PASSE and Dental)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-025.
Criteria:
45 CFR § 75.303 states that a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. These controls should be in compliance with Green Book or COSO guidance.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
In addition, 42 CFR § 438.3 (m) states that managed care contracts must require Managed Care Organizations (MCOs), Prepaid Inpatient Health Plans (PIHPs), and Prepaid Ambulatory Health Plans (PAHPs) to annually submit audited financial reports that are conducted in accordance with generally accepted accounting principles and generally accepted auditing standards specific to the Medicaid contract.
Condition and Context:
ALA performed testing to determine if there was sufficient, adequate language in the managed care contracts and agreements for Provider-Led Arkansas Shares Savings Entity (PASSE) and Dental Managed Care regarding audited financial reports. ALA review revealed that adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Although the Agency has taken steps to update the contract to include this language, as of fieldwork performed in September 2023, the contracts still had not been formally updated.
In addition, ALA performed testing to ensure that the annual audited financial reports were performed for the applicable managed care program entities and that the reports were in compliance with federal regulations.
Four MCOs participated in the PASSE managed care program, and two dental managed care entities participated in the Dental Managed Care program during calendar year 2022. These entities would have been required to submit audited financial reports.
The results of ALA testing revealed that although audited financial reports were provided by all PASSE and dental managed care entities, all four PASSE entities’ reports and both dental managed care entities’ reports were not in accordance with generally accepted accounting principles. In addition, the audits for the two dental managed care entities were not specific to the Medicaid contract.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not adequately develop control procedures for its staff to ensure that adequate language was contained in the Dental Managed Care contract regarding audited financial reports. In addition, the Agency did not adequately monitor the submission of reports to ensure they complied with federal regulations.
Effect:
Failure to implement appropriate procedures for internal control limits the Agency’s ability to adequately monitor the programs for possible noncompliance. In addition, failure to monitor the adequacy of the reports submitted led to the Agency not identifying that the reports received did not comply with federal regulations.
Recommendation:
ALA staff recommend the Agency update the language in the Dental Managed Care contract to require audited financial reports, in accordance with 42 CFR § § 438.3(m). In addition, the Agency should strengthen monitoring controls to ensure that all reports received are in compliance with requirements included in the federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, the finding. DHS has submitted and received approval from CMS for changes to the Dental Managed Care contract that requires the completion of annual audited financial reports. The agency disagrees that the audited financial reports submitted by the PASSE and Dental Managed Care Organizations (DMO) do not comply with 42 CFR 438.3(M). CMS guidance pertaining to that regulation provides that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. The Arkansas Insurance Department also requires insurers to submit annual audited financial statements. Ark. Code Ann. 23-61-108 requires PASSE’s and DMO’s to follow the National Association of Insurance Commissioners Accounting Practices and Procedures Manual. DHS interprets 42 CFR 438.3(M) and its related guidance to permit the State Medicaid Agency flexibility to adopt the same accounting principles as the State Insurance Agency. As a practical matter, DHS reviewed the use of the audited financial statements and the information necessary to be contained within those statements. DMS discussed the use of the audited financial statements with the External Quality Review Organization (EQRO) that performs our External Quality Review. The EQRO confirmed that audited financial statements that complied with the Arkansas statutory basis would be satisfactory for review purposes.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA cannot confirm the specific CMS guidance that the Agency is referring to as it was not provided to auditors during fieldwork. However, auditors did discuss a particular question and answer, item 10, included in the CMS Medicaid and CHIP Managed Care Final Rule (CMS-2390-F) Frequently Asked Questions (FAQs) dated November 10, 2016, with the Agency. This item indicates that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. During SFY23, the PASSE agreements (section 11.1.9) required that the audited financials be in accordance with GAAP and GAAS. As noted above, ALA review revealed that during SFY23, adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Auditors agree that once the terms of the PASSE and Dental contracts are updated to require that audited financials be on the statutory basis, that there will no longer be non-compliance noted related to the financials not being in accordance with GAAP. However, regardless of the specific basis, 42 CFR § 438.3(m) still requires that financials be specific to the Medicaid contract.
Finding Number: 2023-024
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Activities Allowed or Unallowed –
Managed Care (PASSE)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-027.
Criteria:
The Provider-Led Arkansas Shared Savings Entity (PASSE) program transitioned to a full-risk Managed Care Organization (MCO) model on March 1, 2019. The program covers services for behavioral health (BH) recipients and developmentally disabled (DD) recipients. To receive services through PASSE, an individual must have an independent assessment (IA) performed that designates him or her at the appropriate level of need to participate in the program.
The § 1915(c) Home and Community-Based Services Waiver, applicable to the DD population, requires that an IA be performed at least every three years. Appendix K flexibilities were granted by which an additional 12-month extension was allowed for the IAs effective beginning March 12, 2020. This flexibility ended six months after the end of the public health emergency (PHE). As the PHE ended on May 11, 2023, flexibilities ended on November 11, 2023.
§ 1915(i) of the Social Security Act, applicable to the BH population, which provides states the option to offer home and community-based services through the state’s plan, requires that an IA be performed at least every 12 months. In addition, 42 CFR § 441.720(b) states that for reassessments, the IA of need must be conducted at least every 12 months and as needed when the individual’s support needs or circumstances change significantly, in order to revise the service plan. Section 1135 flexibilities were granted by which an additional 12-month extension was allowed for the IAs effective beginning March 17, 2020. This flexibility ended when the PHE ended on May 11, 2023.
Condition and Context:
ALA selected 40 PASSE recipients (all BH recipients) to determine if the following attributes had been met:
• An open eligibility segment for the recipient during the dates of service.
• A valid IA on file in effect for the dates of service.
• Appropriate amount paid in accordance with the actuarially determined rates.
• No disallowed fee-for-service claims paid for a recipient already covered by PASSE
ALA review revealed an exception affecting payments for five BH recipients as detailed below:
Sample item 3: The IA expired on March 29, 2022, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from July 1, 2022 through March 31, 2023. Questioned costs totaled $7,806.
Sample item 6: The IA expired on May 22, 2021, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from July 1, 2022 through June 30, 2023. Questioned costs totaled $4,315.
Sample item 10: The IA expired on May 9, 2023, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from May 10, 2023 through June 30, 2023. Questioned costs totaled $1,594.
Sample item 12: The IA expired on June 23, 2021, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from July 1, 2022 through June 30, 2023. Questioned costs totaled $13,247.
Condition and Context (Continued):
Sample item 27: The IA dated August 4, 2022, indicated a level of need designation that did not support the services provided. Payments for this recipient continued for dates of service from August 4, 2022 through April 10, 2023. Questioned costs totaled $8,334.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$35,296
Cause:
The Agency did not adequately monitor IAs to ensure they were completed timely. In addition, although ARKids B recipients could have been removed from the benefit rolls and services discontinued, the Agency treated them as though they were subject to the continuous coverage requirements of the Families First Coronavirus Response Act (FFCRA), which was applicable to all Medicaid and Medicaid expansion recipients. ARKids B recipients are not considered Medicaid or Medicaid expansion recipients. All deficiencies above relate to payments coded to ARKids B recipients.
Effect:
Gaps were revealed in performance of the required IAs and need level designations included on IAs did not support the services provided. As a result, payments were made outside the approved/updated dates of service.
Recommendation:
ALA staff recommend the Agency review and strengthen its independent assessment procedures to ensure they are completed timely, support the services provided, and are in accordance with federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with this finding. As the Public Health Emergency has concluded, the agency has returned to normal operations which requires disenrollment of any PASSE member that has not received an independent assessment within the last 12 months.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Finding Number: 2023-025
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-028.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
The Agency is responsible for determining if Children’s Health Insurance Program (CHIP) recipients meet the eligibility criteria as specified in its approved State Plan. Eligibility requirements for CHIP are outlined in the Arkansas Medical Services Manual. The Manual contains specific CHIP policies and procedures and is in addition to the approved State Plan.
The State’s ARKids First program includes three separate recipient aid categories under which children receive benefits. Placement in these categories is determined based on monthly household income and a Federal Poverty Level (FPL) percentage.
1. ARKids A (Medicaid) is funded through the Medical Assistance Program grant and provides coverage as follows:
• Children under the age of 6 with household income up to 142% of the FPL.
• Children aged 6 - 18 with household income up to 100% of the FPL.
2. ARKids A (MCHIP) is funded through the CHIP grant in accordance with the Affordable Care Act and provides coverage to children aged 6 - 18 with household income over 100% of the FPL up to 142% of the FPL.
3. ARKids B is funded through the CHIP grant and provides coverage to children up to the age of 19 with household incomes from 142% of the FPL up to 211% of the FPL. Once determined eligible, recipients remain eligible for a 12-month period, regardless of changes in household income.
Additionally, Section 6008 of the Families First Coronavirus Response Act (FFCRA) allowed for a temporary Federal Medical Assistance Percentage (FMAP) increase during the public health emergency (PHE). In accordance with FFCRA, a state is not eligible for the temporary FMAP increase if the state reduces the medical assistance for which the beneficiary is eligible for beneficiaries who were enrolled as of March 18, 2020, or become enrolled after that date but no later than the last day of the month in which the emergency period ends.
Condition and Context:
The State received approval for a CHIP PHE state plan amendment that became effective on March 18, 2020. The amendment allowed certain eligibility requirements to be waived through the duration of the PHE and included the following:
• Waived requirements related to timely processing of applications and renewals.
• Delayed processing of renewals and extended deadlines for families to respond to renewal requests.
Condition and Context (Continued):
• Delayed action on closure for certain changes in circumstances for CHIP beneficiaries. However, the following circumstances for closure will be allowed during the PHE:
Recipient ceases to be a resident of the state
Voluntary closure.
Eligibility due to fraud, abuse or perjury, or death.
• Waived co-payments for COVID-19 testing and treatment for the duration of the PHE.
Additionally, CMS guidance states that when information is received and processed regarding an enrollee and the state determines the enrollee ineligible for CHIP, the state is required to process the termination and transfer the individual to Medicaid or the Exchange. The guidance further states that PHE state plan amendments do not grant the state authority to extend eligibility periods for those determined ineligible for coverage under CHIP, which would include the ARKids B and Unborn Children programs.
In December 2022, the federal Consolidated Appropriations Act of 2023 gave states the authority to begin the process of re-determining eligibility for Medicaid enrollees kept on Medicaid rolls due to the continuous coverage requirement beginning April 1, 2023, and to reinstate routine eligibility operations. States have 12 months to initiate renewals and an additional two months to complete the process.
ALA selected 60 active CHIP recipient identification numbers to determine if PHE rules were followed when re-determination of benefits was made. ALA reviewed revealed the following deficiencies:
• The Agency failed to move two recipients from ARKids B to ARKids A – Medicaid when household income and size qualified the recipients for ARKids A – Medicaid. Claims incorrectly paid from CHIP totaled $11,470 (federal portion - $9,676).
• The Agency improperly extended benefits past the allowed 60 day post-partum period for one recipient enrolled in the Unborn Children aid category due to the PHE. Claims incorrectly paid from CHIP totaled $23 (federal portion – $19)
• The Agency improperly moved one recipient from ARKids A - Medicaid to ARKids B based on a change of income. As this change would result in a reduction in services provided to the recipient, it was inconsistent with the requirements of section 6008(b)(3) of the FFCRA. Claims incorrectly paid from CHIP totaled $336 (federal portion - $283).
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$9,978
Cause:
Errors in the Arkansas Integrated Eligibility System (ARIES) system resulted in improper eligibility determinations. Additionally, discussion with Agency personnel indicated that top-level Agency management chose to continue allowing the ARKids B eligibility segments to remain open, even though information was provided that should have resulted in an ineligible determination. This is in direct conflict with CMS guidance issued on January 6, 2021, clarifying that ARKids B cases MUST be closed once deemed ineligible.
Effect:
Expenditures were not accurately reported to the federal awarding agency, were not paid from the appropriate grant award, and were not funded at the appropriate federal rate.
Recommendation:
ALA staff recommend the Agency design and implement internal controls over compliance to ensure that recipients are placed in the appropriate recipient aid category.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency is conducting an ARIES system review to determine the root cause of the incorrect eligibility determinations and will identify and implement any needed updates to the automatic renewal process.
Anticipated Completion Date: 4/30/2024
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-026
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR3002
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions -
Provider Eligibility (Fee-for-Service)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-029.
Criteria:
According to section 140.000, Provider Participation, any provider of health services must be enrolled in the Arkansas Medicaid Program prior to reimbursement for any services provided to Arkansas Medicaid beneficiaries. Enrollment is considered complete when a provider has signed and submitted the following forms:
• Application.
• W-9 tax form.
• Medicaid provider contract.
• PCP agreement, if applicable.
• EPSDT agreement, if applicable.
• Change in ownership control or conviction of crime form.
• Disclosure of significant business transactions form.
• Specific license or certification based on provider type and specialty, if applicable.
• Participation in the Medicare program, if applicable.
42 CFR § 455.414 (effective March 25, 2011, with an extended deadline of September 25, 2016, for full compliance) states that the State Medicaid Agency must revalidate the enrollment of all providers at least every five years. Revalidation includes a new application; satisfactory completion of screening activities; and if applicable, fee payment. Screening activities vary depending on the risk category of the provider as follows:
• The limited-risk category includes database checks.
• The moderate-risk category includes those required for limited plus site visits.
• The high-risk category includes those required for moderate plus fingerprint background checks.
Condition and Context:
From a population of 5,984 providers, ALA staff reviewed files of 40 providers to ensure sufficient, appropriate evidence was provided to support the determination of eligibility, including compliance with revalidation requirements. ALA review revealed deficiencies with two of the provider files as follows:
Moderate-risk category:
Sample item 28: The provider’s revalidation was due by May 23, 2023, but was not performed. In addition, the Agency did not perform the additional screening requirement (site visit). Questioned costs totaled $801.
Limited-risk category:
Sample item 36: The provider’s revalidation was due by June 12, 2023, but was not performed. Questioned costs totaled $503.
Condition and Context (Continued):
NOTE: Because of the Coronavirus pandemic, the Centers for Medicare and Medicaid Services (CMS), under section 1135(b)(1)(B) of the Social Security Act, approved Arkansas’s request to temporarily cease revalidation, including screening requirements of providers located in Arkansas or otherwise directly impacted by the emergency. This was effective as of March 1, 2020, and continued through the expiration of the Public Health Emergency (PHE) on May 11, 2023. State agencies were given six additional months to complete revalidations that were due during the PHE.
The deficiencies noted above were due subsequent to May 11, 2023.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,304
(Known questioned costs greater than $25,000 for a type of compliance requirement are required to be reported. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned [likely questioned costs], not just the questioned costs specifically identified. The auditor must also report known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.)
Cause:
The Agency had asserted that, effective May 31, 2019, it established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider enrollment application documents, provider revalidation, site visits, and fingerprint background requirements. Although testing results support that improvements have been made since the new procedures were implemented, deficiencies continued to exist during state fiscal year 2023.
Effect:
Claims were processed and paid to providers that did not meet all the required elements and, therefore, were ineligible.
Recommendation:
ALA staff recommend the Agency review and strengthen controls to ensure that revalidations are performed timely and that required enrollment documentation is maintained to support provider eligibility.
Views of Responsible Officials and Planned Corrective Action:
DHS disputes the finding. The revalidation date for the provider noted in sample item 28 was 7/20/2022. Per CMS guidance, revalidations, site visits, and fingerprint background checks were paused during the COVID Public Health Emergency (PHE) (3/1/2020-5/11/2023) and states were given until 11/11/2023 to complete revalidations due during the PHE. As this provider’s revalidation and site visit were completed on 10/12/2023, the agency is in compliance with all provider revalidation requirements.
Based on research conducted by DMS, the provider noted in sample item 36 was not enrolled until 9/16/2018. Therefore, the revalidation date for this provider is 9/16/2023 as opposed to 6/12/2023 and there would be no questioned cost for the audit period.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
Deficiencies are determined based on support provided by the Agency and reviewed by auditors during an iterative process performed during fieldwork. This includes any documentation supporting revalidation due dates. Auditors concluded based upon information provided.
Finding Number: 2023-027
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Provider Eligibility (Managed Care Organizations)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-030.
Criteria:
According to section 140.000, Provider Participation, any provider of health services must be enrolled in the Arkansas Medicaid Program prior to reimbursement for any services provided to Arkansas Medicaid beneficiaries. Managed Care Network providers must also be enrolled in the Arkansas Medicaid Program. Enrollment is considered complete when a provider has signed and submitted the following forms:
• Application.
• W-9 tax form.
• Medicaid provider contract.
• PCP agreement, if applicable.
• EPSDT agreement, if applicable.
• Change in ownership control or conviction of crime form.
• Disclosure of significant business transactions form.
• Specific license or certification based on provider type and specialty, if applicable.
• Participation in the Medicare program, if applicable.
42 CFR § 455.414 (effective March 25, 2011, with an extended deadline of September 25, 2016, for full compliance) states that the State Medicaid Agency must revalidate the enrollment of all providers at least every five years. Revalidation includes a new application; satisfactory completion of screening activities; and if applicable, fee payment. Screening activities vary depending on the risk category of the provider as follows:
• The limited-risk category includes database checks.
• The moderate-risk category includes those required for limited plus site visits.
• The high-risk category includes those required for moderate plus fingerprint background checks.
Condition and Context:
To determine if Managed Care Network providers met all necessary criteria to participate in the CHIP program, ALA staff selected 40 provider files from a population of 2,776 for review. The providers selected participated in the Dental managed care program, commonly referred to as Healthy Smiles, and the Provider-Led Arkansas Shares Savings Entity, or PASSE, managed care program. ALA review revealed deficiencies with four of the provider files as follows:
Limited-risk category:
Sample item 9: The provider failed to revalidate timely. Revalidation was due by September 25, 2016, but was not performed until July 7, 2023. Ineligible costs totaled $256.
Condition and Context (Continued):
Limited-risk category (Continued):
Sample item 19: The Agency did not provide documentation of the required W-9 that covered the entire enrollment period. The Agency has since obtained an updated W-9 effective October 5, 2023. Ineligible costs totaled $96.
Sample item 33: The Agency did not provide documentation of the provider’s licensure that covered the entire enrollment period. Ineligible costs totaled $2,006.
Sample item 37: The Agency did not provide documentation of the required application that covered the entire enrollment period. Ineligible costs totaled $3,416.
Total ineligible costs identified above totaled $5,774 for PASSE. There were no ineligible costs identified for Dental Managed Care.
NOTE: Because these providers are participating in the managed care portion of CHIP, providers are reimbursed by the managed care organizations, not the Agency. The managed care organizations receive a predetermined monthly payment from the Agency in exchange for assuming the risk for the covered recipients.
These monthly payments are actuarially determined based, in part, on historical costs data. Accordingly, the failure to remove unallowable cost data from the amounts utilized by the actuary would lead to overinflated future rates, which will be directly paid by the Agency.
In addition, because of the Coronavirus pandemic, the Centers for Medicare and Medicaid Services (CMS), under section 1135(b)(1)(B) of the Social Security Act, approved Arkansas’s request to temporarily cease revalidation, including screening requirements, of providers located in Arkansas or otherwise directly impacted by the emergency. This was effective as of March 1, 2020, and continued through the expiration of the Public Health Emergency (PHE), on May 11, 2023. State agencies were given six additional months to complete revalidations that were due during the PHE.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency asserted that, effective May 31, 2019, it established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider enrollment application documents, provider revalidation, site visits, and fingerprint background requirements. Although testing results support that improvements have been made since the new procedures were implemented, deficiencies continued to exist during fiscal year 2023.
Effect:
Claims were processed and paid to providers that did not meet all the required criteria.
Recommendation:
ALA staff recommend the Agency review and strengthen controls to ensure that revalidations are performed timely and that required enrollment documentation is maintained to support provider eligibility.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, the finding. Effective May 31, 2019, DMS established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider application documents, provider revalidation, site visits and fingerprint background requirements. The deficiency noted for the provider referenced in sample item 9 relates to non-compliance with site visit requirements pre-dating May 31, 2019, and CMS’s approval of the agency’s corrective action plan. Since CMS implemented 1135 waiver flexibilities during the Public Health Emergency (PHE), the provider was not terminated and was notified of the agency’s intent to revalidate their enrollment within six months of the end of the PHE. The provider successfully completed the revalidation process prior to the expiration of the 1135 waiver flexibilities.
The absence of enrollment documentation noted in sample items 19 and 37 can be attributed to transitions and document storage issues that occurred within the legacy MMIS system. Since the time of enrollment for these two providers, the agency has made multiple updates to the MMIS system to capture and retain enrollment documentation. The agency has obtained the required documentation noted as missing for both sample items. The deficiency noted in sample item 33 has been resolved as the agency has verified licensure of the provider covering the audit period.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
As noted in the finding above, the deficiency for sample item #9 is based on the provider’s untimely revalidation, not the Agency’s failure to perform a site visit. A revalidation was due 09/25/2016, prior to the PHE and questioned costs are calculated after expiration of the 1135 PHE waiver for the period 5/12/23 through 06/30/23.
Finding Number: 2023-028
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5MAP; 05-2305AR5MAP
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-022.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
In addition, 42 CFR § 435.1009 states that federal financial participation (FFP) is not available for payments made on behalf of individuals who are inmates in public institutions, including eligible juveniles. To be considered an inmate of a public institution, a person must be living in an institution that is the responsibility of a governmental unit or over which a governmental unit exercises administrative control.
Finally, under section 1001 of the Substance Use Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act), states are 1) prohibited from terminating the Medicaid eligibility of an “eligible juvenile” who becomes an inmate of a public institution, 2) required to process applications submitted by incarcerated youth, and 3) required to re-determine the Medicaid eligibility of eligible juveniles before their release from a public institution.
An eligible juvenile is defined as a “juvenile who is an inmate of a public institution and who (A) was determined eligible for medical assistance under the State plan immediately before becoming an inmate of such a public institution; or (B) is determined eligible for such medical assistance while an inmate of a public institution.”
In compliance with this requirement, Medical Services Manual section D-380 states that coverage for children entering the custody of the Division of Youth Services (DYS) will be placed in suspension status for up to 12 months from the initial approval or most recent renewal. When a child with suspended Medicaid eligibility receives eligible medical treatment off the grounds of the juvenile detention facility (inpatient services) or is released from custody, the child’s Medicaid case will be reinstated for a fixed eligibility period from the date of hospitalization to the date of hospital discharge. Once the child returns to the DYS state-run facility, the Medicaid case is re-suspended.
Condition and Context:
ALA staff selected 60 files for incarcerated juveniles to determine whether the State is properly suspending a juvenile’s benefit coverage when the juvenile is held in a public institution and then properly reinstating coverage when the juvenile is placed in non-public institutions or released from DYS custody. ALA’s review also included ensuring that benefit payments were not made for dates of service that fell within the juvenile’s incarceration period.
ALA review revealed the following deficiencies:
• The Agency failed to appropriately suspend Medicaid benefits for three juveniles in DYS custody. ALA also identified payments, totaling $8,860, made for dates of service within the incarceration period for two of these individuals. The federal portion of these payments totaled $6,836.
• Although the Agency appropriately suspended benefits for 23 juveniles, the payments, totaling $40,963, were made for dates of service within the incarceration period for these juveniles. The federal portion of the Medicaid payments totaled $30,621.
Condition and Context (Continued):
• Although the Agency appropriately suspended benefits for 4 of the 60 juveniles tested, the Agency failed to properly reinstate benefits after their incarceration ended. Additionally, the Agency paid claims, totaling $8,477, for dates of service within the incarceration period for these juveniles. The federal portion of these payments totaled $6,577.
• The Agency failed to appropriately suspend and reinstate benefits for 7 of the 60 selected juveniles. As a result, payments totaling $51,042 were made for dates of service within the incarceration period for these juveniles. The federal portion of these payments totaled $39,423.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$83,457
Cause:
The Agency failed to properly monitor Medicaid eligibility for juveniles in DYS custody. Suspensions of benefits were not always entered timely, were entered with incorrect effective dates, or were not entered into the system when an eligible juvenile was incarcerated.
Effect:
The Agency improperly received and used funds for payments made on behalf of incarcerated juveniles.
Recommendation:
ALA staff recommend the Agency design and implement internal controls over compliance to ensure that Medicaid benefits are properly suspended when eligible juveniles are incarcerated and properly reinstated when leaving DYS facilities, based on guidance set forth in the Medical Services Policy Manual and in compliance with federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. Since June 2023, DYS has made multiple changes to improve monitoring of suspension and reinstatement of Medicaid eligibility for incarcerated juveniles. For juveniles with SSI Medicaid, the Social Security Administration (SSA) is responsible for suspending Medicaid coverage. All incarcerations for cases noted in the findings involving SSI Medicaid were reported timely to SSA by the agency. DYS closely monitors these cases and continues to send closure requests to SSA until the cases are closed out. DYS has also updated its communication processes with DCO to ensure cases are suspended and reinstated in a timely manner. All payments noted as occurring during the incarceration period were capitated payments made for the PASSE, Dental Managed Care, NET, and PCCM programs. Some audit findings highlighted payments made for members during their month of incarceration, which is acceptable for all programs. The full monthly rate is paid for Dental Managed Care, NET, and PCCM even if the member is only eligible for part of the month. The PASSE program operates on a per-diem basis and any payments made for days when the member is ineligible are recouped as part of a monthly reconciliation.
The agency currently has a reconciliation process for all four programs that identifies payments made after a member’s incarceration date that should be recouped. Some payments noted in the findings will be recouped as part of a reconciliation process that has yet to run. In addition to the current reconciliation process, the agency is in the process of developing an MMIS change that will automatically update member profiles to accurately reflect incarceration dates. This will ensure capitated payments are paused and reinstated in a timely manner and that recoupments and repayments are subsequently processed.
Anticipated Completion Date: 6/30/2024
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Finding Number: 2023-029
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5MAP; 05-2305AR5MAP
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
In addition, 42 CFR § 435.1009 states that federal financial participation (FFP) is not available for payments made on behalf of individuals who are inmates in public institutions. To be considered an inmate of a public institution, a person must be living in an institution that is the responsibility of a governmental unit or over which a governmental unit exercises administrative control.
Additionally, Section 6008 of the Families First Coronavirus Response Act (FFCRA) allowed for a temporary Federal Medical Assistance Percentage (FMAP) increase during the Public Health Emergency (PHE). In accordance with FFCRA, a state is not eligible for the temporary FMAP increase if the state reduces the medical assistance for which the beneficiary is eligible for beneficiaries who were enrolled as of March 28, 2020, or become enrolled after that date but no later than the last day of the month in which the emergency period ends.
Condition and Context:
The State received approval for a Medicaid PHE state plan amendment that became effective on March 18, 2020. The amendment allowed certain eligibility requirements to be waived through the duration of the PHE and included the following:
• Waived requirements related to timely processing of applications and renewals.
• Delayed processing of renewals and extended deadlines for families to respond to renewal requests.
• Delayed action on closure for certain changes in circumstances for Medicaid beneficiaries. However, the following circumstances for closure will be allowed during the PHE:
Recipient ceases to be a resident of the state.
Voluntary closure
Eligibility was due to fraud, abuse or perjury, or death.
• Waived co-payments for COVID-19 testing and treatment for the duration of the PHE.
In December 2022, the federal Consolidated Appropriations Act, 2023 gave states the authority to begin the process of re-determining eligibility for Medicaid enrollees kept on Medicaid rolls due to continuous coverage requirement beginning April 1, 2023, and to reinstate routine eligibility operations. States have 12 months to initiate renewals and an additional two months to complete the process.
ALA selected 60 active Medicaid recipient identification numbers to determine if eligibility determinations and redeterminations were made in accordance with the State Plan and relevant PHE rules.
Condition and Context (Continued):
ALA review revealed the following deficiencies:
• If an incarcerated recipient is eligible for at least one day of service during the month of incarceration, the entire payment for that month would be allowed and not recouped. All payments after the month of incarceration would be recouped.
One recipient was incarcerated on September 20, 2022. The Agency continued to pay claims during the incarceration for dates of service in October and November 2022 totaling $1,127. The claim payments were not recouped as required. Questioned costs representing the federal portion totaled $874.
• One recipient was simultaneously enrolled in dual Medicaid state aid categories. ALA made the Agency aware of the error, which the Agency corrected on November 14, 2023. Because the state aid categories are from the same funding source, no questioned costs were identified.
• The Agency improperly moved one recipient from ARKids A - Medicaid to ARKids B based on a change of income. As this change would result in a reduction in services provided to the recipient, it was inconsistent with the requirements of section 6008(b)(3) of the FFCRA. No questioned costs were identified.
• The Agency determined an incorrect end date for one recipient’s coverage under the Pregnant Woman-Limited (PW) category. Due to this error, coverage under PW ended prior to the birth of her child and resulted in the Agency improperly opening a Parent Caretaker Relative case under PHE rules. The Agency later reopened the PW segment, which resulted in dual segments within the system. No questioned costs were identified.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$874
(Known questioned costs greater than $25,000 for a type of compliance requirement are required to be reported. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned [likely questioned costs], not just the questioned costs specifically identified. The auditor must also report known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.)
Cause:
Errors in the ARIES system resulted in improper eligibility determinations. Additionally, MMIS claims payment system improperly reopened a previously closed eligibility segment. According to Division of County Operations (DCO) staff, the cause of previously closed eligibility segment’s reopening in MMIS is unknown at this time.
Effect:
Expenditures were not accurately reported to the federal awarding agency, were not paid from the appropriate grant award, and were not funded at the appropriate federal rate.
Recommendation:
ALA staff recommend the Agency design and implement internal controls over compliance to ensure that recipients are placed in the appropriate recipient aid categories.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency is in the process of developing an MMIS change that will automatically update member profiles to accurately reflect incarceration dates. This will ensure capitated payments are paused and reinstated in a timely manner and that recoupments and repayments are subsequently processed. The agency is conducting an ARIES system review to determine the root cause of the incorrect eligibility determinations and will identify and implement any needed updates to the automatic renewal process.
Anticipated Completion Date: 6/30/2024
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-030
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR5MAP
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Provider Eligibility (Fee-for-Service)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-034.
Criteria:
According to section 140.000, Provider Participation, any provider of health services must be enrolled in the Arkansas Medicaid Program prior to reimbursement for any services provided to Arkansas Medicaid beneficiaries. Enrollment is considered complete when a provider has signed and submitted the following forms:
• Application.
• W-9 tax form.
• Medicaid provider contract.
• PCP agreement, if applicable.
• EPSDT agreement, if applicable.
• Change in ownership control or conviction of crime form.
• Disclosure of significant business transactions form.
• Specific license or certification based on provider type and specialty, if applicable.
• Participation in the Medicare program, if applicable.
42 CFR § 455.414 (effective March 25, 2011, with an extended deadline of September 25, 2016, for full compliance) states that the State Medicaid Agency must revalidate the enrollment of all providers at least every five years. Revalidation includes a new application; satisfactory completion of screening activities; and if applicable, fee payment. Screening activities vary depending on the risk category of the provider as follows:
• The limited-risk category includes database checks.
• The moderate-risk category includes those required for limited plus site visits.
• The high-risk category includes those required for moderate plus fingerprint background checks.
Condition and Context:
From a population of 11,165, ALA staff reviewed files of 40 providers to ensure sufficient, appropriate evidence was provided to support the determination of eligibility, including compliance with revalidation requirements. ALA’s review revealed deficiencies with three of the provider files as follows:
Moderate-risk category:
Sample item 21: This provider enrolled on August 28, 2018, and the Agency failed to provide documentation of the required site visit during enrollment. As a result, amounts paid to the provider from August 28, 2018 through February 29, 2020, and May 12, 2023 through June 30, 2023, are considered questioned costs. Questioned costs totaled $9,611.
In accordance with the CMS 1135 waiver, revalidations, site visits, and fingerprint background checks were paused from March 1, 2020 through May 11, 2023, as a result of the Public Health Emergency (PHE). Amounts paid to the provider during the PHE are not included in the questioned costs noted above.
Condition and Context (Continued):
Limited-risk category:
Sample item 29: This provider enrolled on February 3, 2015. A revalidation was due on February 3, 2020, but was not completed until June 28, 2023. As a result, amounts paid to the provider from February 3, 2020 through February 29, 2020, and May 12, 2023 through June 27, 2023, are considered questioned costs. Questioned costs totaled $5,934.
In accordance with the CMS 1135 waiver, revalidations, site visits, and fingerprint background checks were paused from March 1, 2020 through May 11, 2023, due to the PHE. In addition, revalidations due during the PHE could be extended to November 11, 2023. However, this provider’s revalidation was due prior to March 1, 2020; therefore, the extension is not applicable in this case. Amounts paid to the provider during the PHE are not included in the questioned costs noted above
Sample item 32: The Agency failed to provide documentation of the provider’s certification that covered any portion of fiscal year 2023. Questioned costs totaled $18,757.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$34,302
Cause:
The Agency had asserted that, effective May 31, 2019, it established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider enrollment application documents, provider revalidation, site visits, and fingerprint background requirements. Although testing results support that improvements have been made since the new procedures were implemented, deficiencies continued to exist during fiscal year 2023.
Effect:
Claims were processed and paid to providers that did not meet all the required elements and, therefore, were ineligible.
Recommendation:
ALA staff recommend the Agency review and strengthen controls to ensure that required revalidations are performed timely and required enrollment documentation is maintained to support provider eligibility.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. Effective May 31, 2019, DMS established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider application documents, provider revalidation, site visits and fingerprint background requirements. The deficiency noted for the provider referenced in sample item 21 relates to non-compliance with site visit requirements pre-dating May 31, 2019 and CMS’s approval of the agency’s corrective action plan. A site visit was performed for this provider on 8/31/2023. The agency has created system controls that require site visits before a moderate or high-risk provider may enroll with Arkansas Medicaid.
The provider noted in sample item 29 began the revalidation process in December of 2019 and their application was set to terminate at the end of February 2020. The provider was not terminated before beginning of the Public Health Emergency (PHE) with their revalidation date being reset to 9/5/2023 when the CMS 1135 waiver flexibilities were implemented. The provider has since timely completed the revalidation process.
The provider noted in sample item 32 did not keep its certification up to date for the audit period. During the PHE, many licensing and certification agencies were not processing new requests or renewals for extended periods of time. A review of this provider’s information revealed that it is likely that they would have been able to maintain continued certification. The agency has automated its certification verification process to terminate providers if a certification lapses for any reason.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Finding Number: 2023-031
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5MAP; 05-2305AR5MAP
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Medicaid Recovery Audit Contractors (RACs)
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and terms and conditions of the award.
In addition, 42 CFR § 455.502 established the Medicaid Recovery Audit Contractor (RAC) program as a measure for States to promote the integrity of the Medicaid program. States must enter into contracts with one or more eligible Medicaid RACs to carry out the activities described at 42 CFR 455.506, which includes reviewing claims submitted by providers or other individuals for which payment has been made to identify underpayments and overpayments and recouping overpayments. Under 42 CFR § 455.516, a State may seek to be excepted from some or all Medicaid RAC contracting requirements by submitting a written justification to CMS requesting CMS review and approval through the State Plan amendment (SPA) process.
Condition and Context:
ALA made inquiries to determine if there were any internal controls in place for which testing could be performed. It was determined that there were no documented internal controls nor were there any internal controls in place at the Agency that pertained to the Medicaid RAC program.
In addition, ALA performed testing to determine if the State had established a Medicaid RAC with an eligible contractor that was conducting the required Medicaid RAC activities in accordance with the approved state plan including any exceptions.
The results of ALA testing revealed that, although there was no SPA in place that authorized an exception for the State to not have a Medicaid RAC in place, there were no contracts in place with any RACs for the year ended June 30, 2023.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not adequately develop internal control procedures for its staff to ensure compliance with federal regulations related to the Medicaid RAC program. In addition, documentation obtained during fieldwork indicated that the Agency acknowledged in November 2022 that an updated SPA needed to be submitted to CMS either to establish the Office of Medicaid Inspector General (OMIG) as the RAC or to request an exemption from the requirement to contract with a RAC. However, the Agency had not requested a waiver through a SPA as of fieldwork date of October 3, 2023.
Effect:
Failure to implement appropriate procedures for internal controls led to the Agency’s non-compliance with federal regulations pertaining to the Medicaid RAC program.
Recommendation:
ALA staff recommend the Agency either contract with an eligible RAC to perform the functions required under the Medicaid RAC program, in accordance with the approved Medicaid State Plan, or submit an SPA to CMS, as the Agency indicated was its intent, in a timely manner either to establish OMIG as the RAC or to request an exemption from the requirement to contract with a RAC.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will request that CMS grant a full exemption from the requirement that a state enter a contract with a Medicaid Recovery Audit Contractor.
Anticipated Completion Date: 5/31/2024
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Finding Number: 2023-032
State/Educational Agency(s): Arkansas Department of Commerce –
Division of Workforce Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 97.050 – COVID 19: Presidential Declared Disaster
Assistance to Individuals and Households – Other Needs
(Supplemental Payments for Lost Wages)
Federal Awarding Agency: Federal Emergency Management Agency
Federal Award Number(s): 4518DRARSPLW
Federal Award Year(s): Not Applicable
Compliance Requirement(s) Affected: Activities Allowed or Unallowed;
Eligibility
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, 2 CFR § 200.516(a)(6) requires the auditor to report known or likely fraud affecting a federal award.
Condition and Context:
In state fiscal year 2023, the Division of Workforce Services (DWS) identified 64 claims paid for Lost Wages Assistance (LWA) totaling $67,500 as likely fraud. This is in addition to the claims identified in the previous fiscal years.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$67,500
Cause:
In response to the increase in demand for services/benefits, the State relaxed controls over identify verification and income verification for the program during fiscal year 2021. DWS continued to identify claims in fiscal year 2023 that were paid during fiscal year 2021.
Effect:
Lack of appropriate internal controls resulted in overpayments of federal funds.
Recommendation:
ALA staff recommend the Agency continue to strengthen controls over benefit payments to ensure that payments are made in the correct amounts and to eligible claimants. Additionally, ALA staff recommend the Agency continue to seek recoupment of the identified overpayments, returning them to the appropriate source.
Views of Responsible Officials and Planned Corrective Action:
Due to the health concerns of the pandemic as well as unprecedented claims volume, claimants were not required to come into a local office for identity verification, the waiting week was waived for 2020, and the requirements for work search were adjusted in order to protect employees and claimants.
Before the pandemic, all claimants were required to come to the local office to verify their identity. Removing these process controls resulted in several consequences as itemized below:
• By waiving the waiting week, the claimant was able to receive payment the following week. For example, a fraudster could file a claim on Friday, then receive payment on Sunday, removing the typical week that an employer would respond to validate the separation from employment.
• The information mailed to the employer and claimant were not received before payments were made due to the lack of waiting week.
• Businesses were closed at that time and did not respond to the unemployment paperwork timely to report fraudulent claims.
• Identity theft fraudsters often changed the address of the individuals for which they had filed claims in order to prevent the victims from being notified and reporting the fraud.
In 2020, the work search requirement was reinstated. In 2021, all claimants had to verify their identity in-person at the local office before the claim was opened for a regular unemployment claim. The UIdentify program was utilized for identity verification for the PUA claims filed after January 1, 2021. The waiting week was reinstated in January 2021, which lengthened the time period for employers to respond before payment was issued.
In addition, Internal Audit created the Fraud Investigation Unit and hired additional staff to focus on investigating the identity theft fraud claims. When the perpetrator is identified, a determination is issued and an overpayment is established in the perpetrator’s name/SSN for collection. The NASWA Integrity Data Hub (IDH) crossmatch was implemented in July 2020 as well in an effort to identify additional fraudulent claims for investigation.
ADWS was the first UI program to implement 2 projects with the Department of Labor for identity verification. One is using Login.gov and the other involves the United States Postal Service where they verify the identity of claimants for using multifactor authentication and in person presentation of ID. The Login.gov pilot started in 2022 and the USPS pilot project started in 2023.
1. The Login.gov project uses the current system that Federal agencies use to verify identity and went into service in Arkansas as of March 2022. A link is given to the claimant, when they select verify ID through login.gov and go through the steps to verify their identity through the federal government system. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
2. The United States Postal Service project, implements in Arkansas March 2023, offers the claimant the same link as Login.gov, but grants the additional option to verify their identity at any US Post Office in the country. A barcode is created and must be taken with a valid government-issued ID (they are given examples) along with proof of current address to the post office in person. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
Anticipated Completion Date: Corrective action was taken for the ALA staff recommendations
Contact Person: Sheri Rooney
Program Administrator
Arkansas Division of Workforce Services
#2 Capitol Mall
Little Rock, AR 72201
501-682-3382
Sheri.Rooney@arkansas.gov
Finding Number: 2023-033
State/Educational Agency(s): University of Arkansas for Medical Sciences
Pass-Through Entity: Not applicable
AL Number(s) and Program Title(s): 93.600 – Head Start Cluster
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): Unknown*
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Reporting
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
A similar issue was reported in prior-year finding 2022-045.
Criteria:
The requirements for reporting are contained in Section 200.328 which states unless otherwise approved by OMB, the Federal awarding agency must solicit only the OMB-approved governmentwide data elements for collection of financial information (at time of publication the Federal Financial Report or such future, OMB approved, governmentwide data elements available from the OMB designated standards lead. This information must be collected with the frequency required by the terms and conditions of the federal award.
Condition and Context:
UAMS did not submit the annual Federal Financial Report (FFR) and the annual Real Property Status Report (SF-429) timely.
Statistically Valid Sample:
This sample was not intended to be, and was not, a statistically valid sample.
Questioned Costs:
$0
Cause:
UAMS’ processes did not ensure reports were submitted timely.
Effect:
Effect not provided in the report received from other external auditor.
Recommendation:
We recommend that management design and implement internal controls that will ensure that all required reports are submitted timely.
*Federal Award Number(s) not provided in the report received from other external auditor.
Views of Responsible Officials and Planned Corrective Action:
Due to the prior year finding, management set a goal to ensure reporting deadlines are met by hiring an additional grants accounting staff member dedicated to monitor the head start program regulations and ensure reports are completed and filed timely. Grants accounting staff planned to utilize checklist functionality in the new financial system that will send required task notifications prior to reporting due dates to assist in meeting reporting deadlines. A new staff member was hired in July 2023. The responsibilities of the new staff member required several months of training and additional time to reconcile the head start accounts causing the January 30, 2023, report to be filed 3 days late. New processes have been implemented where the staff member assigned to the head start program meets weekly with the head start finance manager and director to discuss expenses allocated to the grants, assign tasks to be complete each week, and discuss reporting needs and deadlines.
The new implemented processes have proven to assist in proper oversight and accurate financial management of the grants and allowed us to meet the last reporting deadline in November 2023.
Anticipated Completion Date: Implemented
Contact Person: Kristy L. Walters, MBA, CPA, CHFP, CISA
Associate Vice Chancellor for Finance & Treasurer
University of Arkansas for Medical Sciences
UAMS, 4301 W. Markham St, Slot 632
Little Rock, AR 72205
(501) 686-6836, (501) 686-8137
walterskristy@uams.edu
Views of Responsible Officials and Planned Corrective Action:
Due to the prior year finding, management set a goal to ensure reporting deadlines are met by hiring an additional grants accounting staff member dedicated to monitor the head start program regulations and ensure reports are completed and filed timely. Grants accounting staff planned to utilize checklist functionality in the new financial system that will send required task notifications prior to reporting due dates to assist in meeting reporting deadlines. A new staff member was hired in July 2023. The responsibilities of the new staff member required several months of training and additional time to reconcile the head start accounts causing the January 30, 2023, report to be filed 3 days late. New processes have been implemented where the staff member assigned to the head start program meets weekly with the head start finance manager and director to discuss expenses allocated to the grants, assign tasks to be complete each week, and discuss reporting needs and deadlines.
The new implemented processes have proven to assist in proper oversight and accurate financial management of the grants and allowed us to meet the last reporting deadline in November 2023.
Anticipated Completion Date: Implemented
Contact Person: Kristy L. Walters, MBA, CPA, CHFP, CISA
Associate Vice Chancellor for Finance & Treasurer
University of Arkansas for Medical Sciences
UAMS, 4301 W. Markham St, Slot 632
Little Rock, AR 72205
(501) 686-6836, (501) 686-8137
walterskristy@uams.edu
Finding Number: 2023-002
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 10.558 – Child and Adult Care Food Program
Federal Awarding Agency: U.S. Department of Agriculture
Federal Award Number(s): 6AR300322; 6AR300323; 6AR300342
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Cash Management
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.303(c), a non-federal entity must evaluate and monitor its compliance with statutes, regulations, and the terms and conditions of federal awards.
In addition, 2 CFR § 200.400(a) and (b), the non-federal entity is responsible for the efficient and effective administration of the federal award through the application of sound management practices and assumes responsibility for administering federal funds in a manner consistent with underlying agreements, program objectives, and the terms and conditions of the federal award.
Condition and Context:
The Agency receives the following separate grant awards for reimbursement payments to meal providers and sponsoring organizations:
1) CNP Block Consolidated (ALN 10.555).
2) CNP CACFP Cash in Lieu (ALN 10.558).
3) CNP CACFP Sponsor Administrative (ALN 10.558).
Previous correspondence between ALA and the federal awarding agency indicated that each grant award has a designated purpose, and funds are not to be used interchangeably among the grant awards. (Note: This correspondence was shared with Agency management during calendar year 2018.)
All expenditures are assigned an internal order number to identify the applicable federal program and cost category within AASIS, the State’s accounting system. The Agency’s Division of Child Care and Early Childhood Education (DCCECE) staff are responsible for ensuring expenditures are properly coded in AASIS, and the managerial accounting staff utilize expenditure transactions in AASIS to complete cash draws for direct costs to the program.
ALA review of 15 cash draws to determine if funds were drawn from the appropriate grant revealed the following:
• Sponsor Administrative and Cash in Lieu expenditures (ALN 10.558), totaling $98,474 and $38,342, respectively, were inappropriately drawn from the CNP Block Consolidated grant (ALN 10.555).
(Note: DCCECE transitioned from the Arkansas Department of Human Services to the Arkansas Department of Education on August 1, 2023.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$136,816
Cause:
DCCECE personnel did not correctly code CACFP Sponsor Administrative expenditures in AASIS, causing managerial accounting staff to draw funds from the incorrect grant award. Additionally, managerial accounting staff did not establish procedures to ensure the Cash in Lieu grant award was adequately funded prior to processing federal cash draws.
Effect:
Funds were drawn for unallowable expenditures (based on the purpose of each grant).
Recommendation:
ALA staff recommend the Agency establish and document procedures that specifically address the proper coding of expenditures in AASIS. In addition, ALA staff recommend the Agency strengthen procedures to ensure that staff properly monitor federal cash draws by reconciling with allowable expenditures and request additional funds when necessary.
Views of Responsible Officials and Planned Corrective Action:
Department of Human Services Response
DHS concurs with the finding. The Division of Childcare and Early Childhood Education (DCCECE) utilized a custom software platform to provide payment files to the State’s accounting software, AASIS, to issue payments to recipients. Within this software, the AASIS coding for Sponsor Administrative costs is coded to CNP Block Consolidated (ALN 10.555) instead of CNP CACFP Sponsor Administrative (ALN 10.558) for the questioned costs of $98,474.00. Expense error corrections were not received timely by managerial accounting staff prior to the close out of SFY2023. Effective August 1, 2023, the division formerly known as DCCECE at DHS transitioned to the Arkansas Department of Education (ADE). DHS alerted financial staff with ADE in February 2024 to review the custom software platform to ensure grant expenses are being properly coded now.
Due to depleted grant funds in CNP CACFP Cash in Lieu (ALN 10.558), the questioned costs of $38,341.68 in grants funds were manually moved by DHS Managerial Accounting staff into the CNP Block Consolidated grant. Managerial accounting staff have been retrained to ensure adequate federal funds are available prior to drawing. If manual adjustments are required, the division’s CFO, or their designee, must review and approve manual adjustments prior to the managerial accounting staff executing manual adjustments. DHS Office of Finance is developing an internal control documenting the prior approval process.
DHS will continue to work in cooperation and coordination with ADE to provide all relevant financial information, documentation, or other items necessary for the administrative functions of DCCECE so as not to disrupt any services.
Arkansas Department of Education Response
The Arkansas Department of Education, Finance unit monitors federal grant awards by using separate cost centers for each program and award year within. This process provides transparent delineation of expenses and revenues within the State’s accounting system, AASIS. Additionally, ADE Finance owns an established procedure to reconcile federal grant awards for each month, within 90 days of the month’s end. The reconciliation procedure accounts for all activity within the grants and ensures data is aligned from the federal drawdown system to the State’s accounting system, AASIS.
Anticipated Completion Date:
Department of Human Services Response: 3/31/2024
Arkansas Department of Education Response: The itemized CNP programs are reconciled using ADE procedures as of August 1,2023. ADE ensures the accuracy of data from August 1, 2023, through January 31, 2024.
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-003
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 10.558 – Child and Adult Care Food Program
Federal Awarding Agency: U.S. Department of Agriculture
Federal Award Number(s): 6AR300322
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Cash Management
Type of Finding: Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, in accordance with 31 CFR § 205.33(a), a state must minimize the time between the drawdown of federal funds and their disbursement for program purposes. The timing and amount of fund transfers must be as close as is administratively feasible to the actual cash outlay for direct program costs and the proportionate share of any allowable indirect costs.
Condition and Context:
The Agency’s Division of Managerial Accounting staff perform weekly reconciliations between federal cash draw downs and expenditure transactions in AASIS, the State’s accounting system. The reconciliation is utilized to ensure funds are drawn for actual expenditures. The Division’s policy is to use funds drawn in excess of actual expenditures within three days after discovery; otherwise, funds are returned to the federal awarding agency.
ALA reviewed the cash draw reconciliations that were completed for federal fiscal years 2022 and 2023 to determine if they were completed accurately and to ensure the Agency adhered to its policy regarding excess funds drawn.
ALA review revealed that funds drawn against the 2023 CNP Block grant exceeded the allowable expenditures totaling $1,496,279. The Agency was not in compliance with its policy regarding excess funds drawn because the Agency did not immediately adjust future draws or return excess funds, as stated in its policy.
(Note: DCCECE transitioned from the Arkansas Department of Human Services to the Arkansas Department of Education on August 1, 2023.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,496,279
Cause:
Managerial Accounting staff did not effectively utilize the cash draw reconciliation to ensure funds drawn were only for immediate cash needs.
Effect:
Agency staff did not adjust subsequent cash draws or return funds to the federal awarding agency after the excess draws were discovered.
Recommendation:
ALA staff recommend the Agency review and strengthen its control procedures regarding draws and contact the Arkansas Department of Education and the federal awarding agency to ensure draws do not exceed allowable expenditures going forward.
Views of Responsible Officials and Planned Corrective Action:
Department of Human Services Response
DHS concurs with the finding. Specifically, the documentation provided to auditors during the audit period did not include a full review of allowable expenditures correlated to the federal draws. During the quarter, indirect costs are estimated and are then adjusted to actual indirect costs when the quarterly cost allocation report is completed. If an overpayment was identified after comparing to the cost allocation report, the next federal draw would be reduced by the overpayment. Due to the timing of the DHS Cost Allocation report and the omittance of the allowable 2022 CNP Block grant expenditures, the expenses were understated for 2023 CNP Block grant resulting in the appearance of a federal overpayment.
Following the audit, it was determined DHS DCCECE staff coded 161 transactions totaling direct costs of $1,977,927.62 of allowable expenses for October 2022, November 2022, and March 2023 in the State’s accounting software, AASIS, to the 2022 CNP Block grant when only $505,835.54 federal grant funds were available. The difference of $1,472,092.08 in federal funding was properly drawn from the 2023 CNP Block grant, but AASIS error corrections were not timely submitted to the managerial accounting prior to the close of SFY2023 to ensure the proper allocation of the expenditures. The cost allocation report provided to auditors during the audit period only included the 2023 CNP Block grant AASIS coding and did not include the 2022 CNP Block grant AASIS coding of $1,472,092.08. The remaining difference of $24,186.92 is due to timing of DHS’s Cost Allocation quarterly report that became available July 20th for the June 30th 2023 CNP Block grant expenses. DHS submitted additional documentation to ALA in February 2024 accounting for all allowable expenditures.
DHS Managerial Accounting staff have been provided additional cost allocation training and audit response training. Documents responsive to audit requests will be more fully reviewed prior to submission as senior finance management staffing allows. Effective August 1, 2023, DHS DCCECE has transitioned to Arkansas Department of Education (ADE). DHS will continue to work in cooperation and coordination to provide all relevant financial information, documentation, or other items necessary for the administrative functions of DCCECE so as not to disrupt any services.
Arkansas Department of Education Response
Arkansas Department of Education, Finance unit monitors fund balances in the States’s accounting system, AASIS, at minimum, every other day. The frequency of this process accounts for previous activity in funds or cost centers and pending activity recognized at the time of the review including, but not limited to, upcoming expenses and drawdown requests. ADE procedures ensure the finance unit closely oversees cash on hand, if any, and all necessary drawdowns are completed for immediate use.
Additionally, funds associated with the Office of Early Childhood (formerly DCCECE) that were carried to ADE are shown in the cash edit table, allowing the fund to have a negative balance in the State’s accounting system, AASIS. Including funds in the cash edit table supports the agency in preventing excess drawdowns by allowing funds to be received after expenses are processed. ADE is confident this procedure ensures accurate amounts are drawn.
Anticipated Completion Date:
Department of Human Services Response: Complete
Arkansas Department of Education Response: ADE Finance has implemented the named procedure and continues to monitor cash on hand closely, as the ADE Office of Early Childhood staff, (formerly DHS DCCECE), are trained in this procedure.
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-004
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 10.558 – Child and Adult Care Food Program
Federal Awarding Agency: U.S. Department of Agriculture
Federal Award Number(s): 6AR300322; 6AR300323; 6AR300342
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Procurement and Suspension and Debarment
Type of Finding: Material Weakness
Repeat Finding:
Not applicable
Criteria:
2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, 2 CFR § 200.214 holds entities subject to 2 CFR Part 180, which restricts awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from or ineligible for participation in federal assistance programs or activities.
Condition and Context:
A management evaluation was performed by the U.S. Department of Agriculture – Food and Nutrition Service (USDA-FNS) in July 2021. The evaluation revealed that the Agency was not clearly documenting its review of the National Disqualified List (NDL) prior to approving providers. In December 2021, the Agency implemented a procedure to upload the results of the search for suspended and debarred providers from the NDL to its Special Nutrition Program (SNP) database. The search and upload would occur prior to the approval of a provider.
To determine if the Agency’s new control procedure was operating as designed and effective, ALA selected 25 approved providers located within the SNP database to determine if the Agency uploaded its search of the NDL prior to approving the application. This review revealed the following:
• In 15 instances, the NDL search was not uploaded to the SNP database.
• In one instance, the Agency Coordinator and the Manager approved a provider on October 11, 2022, and October 13, 2022, respectively. However, the NDL search was not uploaded prior to the approvals. The upload occurred on December 5, 2022.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not consistently adhere to the newly established procedure.
Effect:
Failure to adhere to the newly established procedure for internal control over compliance increases the risk that an ineligible provider is approved in error.
Recommendation:
ALA staff recommend the Agency review its newly developed control procedure with applicable staff to ensure compliance with suspension and debarment requirements.
Views of Responsible Officials and Planned Corrective Action:
Department of Human Services Response
DHS concurs with the finding. The SNP database has been updated to reflect that a National Disqualified List (NDL) search was run on the 15 providers that were reviewed. The Health and Nutrition Unit for the Office of Early Childhood conducted a staff training on the written application procedure with an emphasis on performing and documenting NDL searches prior to approval of the application. (Note: Effective August 1, 2023, DHS DCCECE has transitioned to Arkansas Department of Education.)
Arkansas Department of Education Response
Arkansas Department of Education’s Office of Early Childhood, Health and Nutrition unit conducted training December 2023 and continues to maintain staff training on the written application procedure to ensure providers are reviewed against the National Disqualified List (NDL) database and prior to approval.
Anticipated Completion Date:
Department of Human Services Response: Complete
Arkansas Department of Education Response: Continuous
Contact Person: Pamela Burton
Director, Health and Nutrition Unit, Division of Elementary and Secondary Education
Arkansas Department of Education
700 Main Street, Room 1216
Little Rock, AR 72203
501-320-8978
Pamela.Burton@ade.arkansas.gov
Finding Number: 2023-005
State/Educational Agency(s): Arkansas Department of Commerce –
Division of Workforce Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 17.225 – Unemployment Insurance
Federal Awarding Agency: U.S. Department of Labor
Federal Award Number(s): Not Applicable
Federal Award Year(s): Not Applicable
Compliance Requirement(s) Affected: Activities Allowed or Unallowed;
Eligibility
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
A similar issue was reported in prior-year finding 2022-001.
Criteria:
In accordance with 2 CFR § 200.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, 2 CFR § 200.516 (a)(6) requires the auditor to report as an audit finding any known or likely fraud affecting a federal award.
Condition and Context:
In state fiscal year 2023, the Division of Workforce Services (DWS) identified 1,077 claims paid for Unemployment Insurance programs, totaling $2,295,059, as likely fraud. (This is in addition to the claims identified in the previous years.) The $2,295,059 is comprised of $1,563,505 in federal funds and $731,554 in state funds.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,563,505 (federal)
$ 731,554 (state)
Cause:
In response to the increase in demand for services/benefits, the State relaxed controls over identify verification and income verification for the program during fiscal year 2021. DWS continued to identify claims in fiscal year 2023 that were paid during fiscal year 2021.
Effect:
Lack of appropriate internal controls resulted in overpayments of state and federal funds.
Recommendation:
ALA staff recommend the Agency continue to strengthen controls over benefit payments to ensure that payments are made in the correct amount and to eligible claimants. Additionally, ALA staff recommend the Agency continue to seek recoupment of the identified overpayments, returning them to their appropriate source.
Views of Responsible Officials and Planned Corrective Action:
Due to the health concerns of the pandemic as well as unprecedented claims volume, claimants were not required to come into a local office for identity verification, the waiting week was waived for 2020, and the requirements for work search were adjusted in order to protect employees and claimants.
Before the pandemic, all claimants were required to come to the local office to verify their identity. Removing these process controls resulted in several consequences as itemized below:
• By waiving the waiting week, the claimant was able to receive payment the following week. For example, a fraudster could file a claim on Friday, then receive payment on Sunday, removing the typical week that an employer would respond to validate the separation from employment.
• The information mailed to the employer and claimant were not received before payments were made due to the lack of waiting week.
• Businesses were closed at that time and did not respond to the unemployment paperwork timely to report fraudulent claims.
• Identity theft fraudsters often changed the address of the individuals for which they had filed claims in order to prevent the victims from being notified and reporting the fraud.
In 2020, the work search requirement was reinstated. In 2021, all claimants had to verify their identity in-person at the local office before the claim was opened for a regular unemployment claim. The UIdentify program was utilized for identity verification for the PUA claims filed after January 1, 2021. The waiting week was reinstated in January 2021, which lengthened the time period for employers to respond before payment was issued.
In addition, Internal Audit created the Fraud Investigation Unit and hired additional staff to focus on investigating the identity theft fraud claims. When the perpetrator is identified, a determination is issued and an overpayment is established in the perpetrator’s name/SSN for collection. The NASWA Integrity Data Hub (IDH) crossmatch was implemented in July 2020 as well in an effort to identify additional fraudulent claims for investigation.
ADWS was the first UI program to implement 2 projects with the Department of Labor for identity verification. One is using Login.gov and the other involves the United States Postal Service where they verify the identity of claimants for using multifactor authentication and in person presentation of ID. The Login.gov pilot started in 2022 and the USPS pilot project started in 2023.
1. The Login.gov project uses the current system that Federal agencies use to verify identity and went into service in Arkansas as of March 2022. A link is given to the claimant, when they select verify ID through login.gov and go through the steps to verify their identity through the federal government system. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
2. The United States Postal Service project, implements in Arkansas March 2023, offers the claimant the same link as Login.gov, but grants the additional option to verify their identity at any US Post Office in the country. A barcode is created and must be taken with a valid government-issued ID (they are given examples) along with proof of current address to the post office in person. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
Anticipated Completion Date: Corrective action was taken for the controls the ALA staff recommended.
Contact Person: Sheri Rooney
Program Administrator
Arkansas Division of Workforce Services
#2 Capitol Mall
Little Rock, AR 72201
501-682-3382
Sheri.Rooney@arkansas.gov
Finding Number: 2023-006
State/Educational Agency(s): Arkansas Department of Commerce –
Arkansas Economic Development Commission
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 21.027 – COVID 19: Coronavirus State and Local
Fiscal Recovery Fund (CSLFRF)
Federal Awarding Agency: U.S. Department of Treasury
Federal Award Number(s): SLFRP3627
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Activities Allowed or Unallowed;
Allowable Costs/Cost Principles
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-014.
Criteria:
In accordance with 2 CFR § 200.403(g), costs must be adequately documented to be allowable under federal awards.
In addition, state-promulgated rules governing the Arkansas Rural Connect (ARC) Program provide that internet service providers (ISPs) must submit receipts for all reimbursable expenses. The rules also provide that the full purchase price of capital equipment used for the build phase of a project and having value for other construction work subsequent to project completion, is not allowable.
Finally, 2 CFR § 200.303 states that a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
Condition and Context:
ALA staff selected 20 payments made to ISPs to determine if sufficient, appropriate documentation was maintained to support that reimbursements were made for allowable project expenses. ALA review revealed the following:
Project 1:
• Two claims, totaling $3,465, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
Project 2:
• Two claims, totaling $5,179, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
• The Agency’s contractor, UAMS-IDHI, approved reimbursement for a “fiber splicing trailer,” also referred to as a tandem axle enclosed trailer, totaling $25,673. This item is commonly used by broadband installers and has value for other non-ARC constructions projects, making it unallowable.
Project 3:
• Nine claims, totaling $92,538, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
• Eight claims, totaling $498,487, were reimbursed without appropriate supporting documentation (e.g., an invoice or receipt).
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$625,342
Cause:
The Agency’s contractor, UAMS-IDHI, did not perform its obligation to ensure reimbursement requests were appropriately supported. The contractor stated that it relaxed the review process as a result of an internal agreement with the previous Commission Director of Broadband.
Effect:
Reimbursements were approved for expenditures that may not have been allowable or may not have been incurred. The federal awarding agency may require recoupment.
Recommendation:
ALA staff recommend the Agency promptly develop, document, and establish procedures to monitor the agreement with its contractor to ensure completion of performance objectives and compliance with federal regulations.
Views of Responsible Officials and Planned Corrective Action:
ASBO has entered a contract with a new 3rd party administrator to provide oversight for all subgrant awardees. This contact is active now. We developed our contract to ensure improved monitoring for expenditures and verification of receipts. Also, we are in the process of developing a portal which will allow this contractor and ASBO to have full access to all documents from subgrantees. Our new vendor does have prior experience with subgrants management.
In addition, ASBO commits internally to the following:
• We will monitor all capital purchases when the invoices are received at our office.
• We will pull a random sample of five invoices per month and conduct our own review of expenses.
Highlights for the Baker contract:
ASBO’s broadband grant program management vendor-partner, Michael Baker International (MBI), is contracted for the following activities and deliverables:
• Developing the workflow, process, and online forms that facilitate project monitoring and expense reimbursement.
• Responsible for pursuing and documenting additional information required for project monitoring and reimbursement activities. These activities shall be completed within the framework of the Broadband Grants Project Monitoring and Reimbursement System (see below for details) and not through external email or other document exchange system.
• Develop and apply standardized naming conventions for all project documents that will be maintained throughout the life of the project. Documents shall be stored in a manner that promotes transparency and facilities ease of use by auditors.
• Take all reasonable measures to ensure grant activities are implemented in a manner that ensures transparency, accountability, and oversight sufficient to (1) minimize the opportunity for waste, fraud, and abuse; (2) ensure that subrecipients use funds to further the objectives of Federal programs and the Arkansas State Broadband Office; and (3) allow the public to understand and monitor subgrants awarded under the program.
• Ensuring all reimbursement activity complies with Federal requirements, including Section 60102 of the Infrastructure Act, 2 C.F.R. Part 200 and any supplemental guidance issued by the Federal government.
• Responsible for knowing what constitutes eligible and ineligible expenses under both state and Federal rules.
• Provide education and guidance to subrecipients and the ASBO on key oversight and compliance requirements.
• Ensure payment activities follow all state and Federal policies and procedures. Contractor acknowledges policies may change over the life of the contract.
• Identify policies the ASBO is required to adopt and assist in drafting those policies to ensure ASBO compliance with Federal regulations.
• Assist the Arkansas State Broadband Office in enforcing program rules and laws and imposing penalties for nonperformance, failure to meet statutory obligations, or wasteful, fraudulent, or abusive expenditure of funds. Such penalties include, but are not limited to, imposition of additional award conditions, payment suspension, award suspension, grant termination, de-obligation/clawback of funds, and debarment of organizations and/or personnel.
• Conduct audits of subrecipients as are necessary and appropriate. Contractor shall report the results of any audits it conducts to the Arkansas State Broadband Office.
• Develop a template contract for subrecipients, specifying key terms including contract length, performance standards, construction and service rollout schedules, competitive access requirements, regulatory compliance requirements, environmental controls, grant reporting and data sharing requirements, monitoring and oversight procedures, and penalties for non-compliance.
• Retain and provide to the Arkansas State Broadband Office upon request all records, documents, and communications of any kind that relates in any manner to grant awards and project procurement, performance, and reimbursement. This data shall be labeled and stored in a manner that promotes transparency and facilitates ease of use by auditors.
Additionally, MBI is building two new systems for ASBO and subgrantee use:
1. Broadband Grants Project Monitoring and Reimbursement System
2. Grant Application Submission, Evaluation, Award, and Appeal System
These systems will have the following features:
• Facilitate inputs, responses, data gathering, analysis, and adjudication decision recommendations and subsequent documentation of payment decisions for the Arkansas State Broadband Office’s final approval.
• Provide a secure mechanism for grant applications and safeguard protected, proprietary, and other confidential information.
• Assign a unique identifier to each application and each project. Contractor shall develop and apply a standardized naming convention to all applications and associated documents that will be maintained throughout award, technical review, project monitoring, and project closing. Documents shall be named and stored in a manner that facilitates ease of use by auditors.
• System shall exhibit built-in quality controls, such as pre-screening, that assist applicants in submitting applications that meet all minimal requirements for consideration (such as requiring a SAM number).
• MBI shall be responsible for pursuing and documenting additional information required for clarification of submitted applications, technical reviews of applications, and project monitoring
• and reimbursement activities. These activities shall be completed within the framework of the Grant Application Submission, Evaluation, Award, and Appeal System or the Broadband Grants Project Monitoring and Reimbursement System and not through external email or other document exchange systems.
Anticipated Completion Date: System anticipated go live Date: April 26, 2024
Contact Person: Glen E. Howie
Director
Department of Commerce, Arkansas State Broadband Office
1 Commerce Way, Suite. 601
Little Rock, AR 72202
(501) 682-1123
Glen.Howie@ArkansasEDC.gov
Finding Number: 2023-007
State/Educational Agency(s): Arkansas Department of Commerce –
Arkansas Economic Development Commission
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 21.027 – COVID 19: Coronavirus State and Local
Fiscal Recovery Fund (CSLFRF)
Federal Awarding Agency: U.S. Department of Treasury
Federal Award Number(s): SLFRP3627
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Procurement and Suspension and Debarment
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-017.
Criteria:
In accordance with 2 CFR § 200.302(b)(7), a non-federal entity must establish written procedures to implement and determine the allowability of costs in accordance with Uniform Administrative Requirements, Cost Principles, and Audit Requirements, as well as the terms and conditions of the federal award.
In addition, 2 CFR § 200.303(a) states that a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the award.
Finally, 2 CFR § 200.214 holds entities subject to 2 CFR Part 180, which restricts awards, subawards, and contracts with certain parties that are debarred, suspended, or otherwise excluded from or ineligible for participation in federal assistance programs or activities.
Condition and Context:
For the second consecutive year, the Agency failed to establish documented control procedures for this compliance requirement area.
The Agency is responsible for ensuring that entities receiving awards are registered in the System for Award Management (SAM) database and have not been suspended or debarred. Registration must occur prior to the issuance of a contract or grant agreement.
ALA staff reviewed 11 contracts and grant agreements to determine if the Agency complied with the requirement. ALA review revealed that one entity, with an agreement dated January 27, 2022, failed to register on SAM until February 18, 2022.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency failed to establish documented control procedures and did not have adequately trained staff to ensure compliance.
Effect:
Failure to develop, document, and implement procedures for internal control over compliance increases risk for issuance of contracts and grant agreements to excluded or ineligible entities.
Recommendation:
ALA staff recommend the Agency promptly develop, document, and establish policies to ensure contracts and grant agreements are only issued to eligible entities.
Views of Responsible Officials and Planned Corrective Action:
ASBO has made the registration at Sam.gov part of the application process that will be handled through the subgrant portal being developed with our new grants monitoring contractor. This will now be an electronic field that will be entered by the subgrantee. The 3rd party administrator will be responsible for verifying the subgrant applicant Sam.gov registration is valid and active.
Anticipated Completion Date: System anticipated go live Date: April 26, 2024
Contact Person: Glen E. Howie
Director
Department of Commerce, Arkansas State Broadband Office
1 Commerce Way, Suite. 601
Little Rock, AR 72202
(501) 682-1123
Glen.Howie@ArkansasEDC.gov
Finding Number: 2023-008
State/Educational Agency(s): Arkansas Department of Commerce –
Arkansas Economic Development Commission
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 21.027 – COVID 19: Coronavirus State and Local
Fiscal Recovery Fund (CSLFRF)
Federal Awarding Agency: U.S. Department of Treasury
Federal Award Number(s): SLFRP3627
Federal Award Year(s): 2021
Compliance Requirement(s) Affected: Subrecipient Monitoring
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-018.
Criteria:
In accordance with 2 CFR § 200.332(a)(1), all pass-through entities must ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward:
i. Subrecipient name (which must match the name associated with its unique entity identifier).
ii. Subrecipient's unique entity identifier.
iii. Federal Award Identification Number (FAIN).
iv. Federal award date.
v. Subaward Period of Performance start and end date.
vi. Subaward budget period start and end date.
vii. Amount of federal funds obligated by this action by the pass-through entity to the subrecipient.
viii. Total amount of federal funds obligated to the subrecipient by the pass-through entity including the current financial obligation.
ix. Total amount of the federal award committed to the subrecipient by the pass-through entity.
x. Federal award project description, as required to be responsive to the Federal Funding Accountability and Transparency Act (FFATA).
xi. Name of federal awarding agency, pass-through entity, and contact information for awarding official of the pass-through entity.
xii. Assistance listings number (ALN) and title; the pass-through entity must identify the dollar amount made available under each Federal award and the ALN at time of disbursement.
xiii. Identification of whether the award is Research & Development.
xiv. Indirect cost rate for the federal award.
In addition, 2 CFR § 200.332(a)(4) requires an approved federally recognized indirect cost rate between the subrecipient and the federal awarding agency.
2 CFR § 200.332(b) states that pass-through entities must evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring.
Finally, 2 CFR § 200.332(d) states that pass-through entities must monitor the activities of the subrecipient as necessary to ensure that the subaward performance goals are achieved.
Section 9(G) of the Arkansas Rule Connect (ARC) rules state that within 45 days after grant approval, the Internet Service Provider (ISP) should submit the project plans to a licensed Professional Engineer (PE) for a technical adequacy confirmation. Once received, the ISP should submit the PE approval stamp to the Arkansas State Broadband Office (ASBO).
Condition and Context:
ALA staff reviewed seven executed grant agreements, totaling $28,392,301, to determine if they met the Uniform Guidance criteria. The following deficiencies were noted:
• The seven grant agreements did not include all required terms, specifically from the criteria noted above, ii, iii, iv, xi, xii, xiii, and xiv.
• An indirect cost rate agreement could not be provided.
• Discussion with management indicated that the ISPs were evaluated during the application process, but the results were not documented. Without proper documentation, ALA staff were unable to determine if the ISPs were assessed for risk as required by Uniform Guidance (2 CFR § 200.332(b)).
• Discussion with management indicated that the pass-through entity did not have documentation indicating that a PE reviewed the technical adequacy of any of the seven projects ALA reviewed.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not ensure staff were trained and knowledgeable regarding Uniform Guidance requirements for subrecipients.
Effect:
Without a proper grant agreement, subrecipients may be unaware that their award is subject to federal compliance requirements. The Agency could award federal funds to a high risk entity and fail to adjust the methods of monitoring accordingly. Absent a review by a PE, the project may fail to comply with performance requirements.
Recommendation:
ALA staff recommend the Agency provide training to appropriate staff to ensure adherence to Uniform Guidance regarding subrecipient monitoring.
Views of Responsible Officials and Planned Corrective Action:
ASBO has developed a Notice of Subgrant Award Information Form providing required information to each subrecipient. We have already sent this form out for CPF grants as an amendment to the current grant award. This form will be part of the subawards that will be issued for the upcoming BEAD subgrants. We are currently developing this form for all SLFRF grants to be sent out as an amendment. It is currently being reviewed for changes. Our goal is to have this form out as an amendment to all SLFRF subgrantees by June 1, 2024.
Anticipated Completion Date: June 1, 2024
Contact Person: Glen E. Howie
Director
Department of Commerce, Arkansas State Broadband Office
1 Commerce Way, Suite. 601
Little Rock, AR 72202
(501) 682-1123
Glen.Howie@ArkansasEDC.gov
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-009
State/Educational Agency(s): University of Arkansas – Little Rock
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
84.379 – TEACH Grant
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
The University of Arkansas Little Rock did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The University of Arkansas Little Rock did not develop internal controls to monitor grant requirements, The required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the University perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the University should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
Management understands the recommendations provided in the finding. We are planning on updating our 2021 Risk Assessment with our campus community in the near future. In accordance with ALA's recommendation, we will focus on GLBA 16 CFR 314 elements and financial aid data. As with our 2021 Risk Assessment, our plan will be reviewed and accepted by our Chancellor. We intend to have the Risk Assessment updated and reviewed by June 30, 2024. We will also coordinate the risks identified with the extensive list of controls and policies that currently protect student’s financial aid information. These include:
Acceptable Use Policy_V7_3.pdf
Antivirus and Malware Policy_V2_1.pdf
Cloud Services Policy_V1_2.pdf
Confluence Screenshots Of Contact Information For Critical Systems (1).pdf
Data Classification Policy_V1_2.pdf
Data Encryption Policy_V7_1.pdf
Data Management Use Protection Policy_V7_2.pdf
Data Protection Policy_V7_2
Data Protection Policy_V7_2.pdf
Disaster Recovery Business Continuity System Recovery Prioritization List_V1_2.pdf
Disaster Recovery Procedure_V1_5.pdf
Drive Data Deletion Policy_V7_2.pdf
E-Learning Policies_V7_1.pdf
Email and Digital Communication Policy_V8_2.pdf
Email and Digital Communication Policy_V8_2.pdf
Employee Data Deletion Policy_V7_2.pdf
Encryption of Sensitive Data on Transmission Policy_V7_2.pdf
Faculty Senate Legislation Reference_V6.1.pdf
Firewall Blacklist and Whitelist Policy_V7_2.pdf
Firewall Management Procedure_V7_2.pdf
GLBA Risk assessment.docx
Incident Response and Forensic Analysis Procedures_V7_5.pdf
IT Employee Departure Procedures_V7_2.pdf
IT Security Awareness and Competencies Policy_V1_5.pdf
IT Services System Administration Privileged Access Management Policy_V7_2.pdf
IT System Backup Procedures_V7_2.pdf
IT System Patching Process_V7_3.pdf
Lab / Classroom Administrative Rights Exception Request_V6_1.pdf
Local Firewall Procedures for Workstations and Mobile Devices_V7_2.pdf
Log Review Policy_V2_1.pdf
Mobile Device Security - Remote Email Destruction Process_V1_1.pdf
Mobile Device Security Policy_V2_1.pdf
Multi-factor Authentication - Information Technology Services - UA Little Rock.pdf
Network Patching Process_V1_1.pdf
PCI Compliance _ Training Policy_V7_2.pdf
Physical Security Policy_V1_3.pdf
Retention of Records Policies_V7_2.pdf
Security and Incident Response Team Policy_V1_3.pdf
Security and IT System Access Policy_V1_2.pdf
Student Account Deletion Policy_V7_2.pdf
System Log Requirements_V8_2.pdf
UALR Change Management Policy 2.2.pdf
Vendor Remote Access Policy_V1_1.pdf
Vulnerability Scan Policy_V7_2.pdf
Wireless Network Guest Security Policy_V1_1.pdf
Wireless Security Policy_V1_2.pdf
Workstation Administrative Rights Exception Request_V6_1.pdf
Anticipated Completion Date: June 30, 2024
Contact Person: Gerald J. Ganz, Jr.
Vice Chancellor for Finance & Administration
University of Arkansas at Little Rock
2801 S. University Avenue
Little Rock, AR 72204
501-916-5622
GJGanz@ualr.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-010
State/Educational Agency(s): Southeast Arkansas College
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.007 – Federal Supplemental Educational Opportunity Grants
84.033 – Federal Work Study Program
84.063 – Federal Pell Grant Program
84.268 – Federal Direct Student Loans
(Student Financial Assistance Cluster)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): Various
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Gramm-Leach-Bliley Act-Student Information Security
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
Postsecondary institutions are required under the Gramm-Leach-Bliley Act (16 CFR § 314) to establish an information security program. This program should encompass a documented risk assessment, identifying internal and external risks to the security, confidentiality, and integrity of customer information. Additionally, the written information security program must outline the implementation of particular safeguards tailored to address the risks identified in the risk assessment.
Condition and Context:
Southeast Arkansas College did not establish adequate internal controls over and did not comply with federal requirements to conduct a risk assessment of student information security in accordance with 16 CFR § 314.4.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
Because Southeast Arkansas College did not develop internal controls to monitor grant requirements, the required risk assessment and implementation of safeguards to control risk identified were inadequate to protect students’ financial aid information.
Effect:
Student information was more susceptible to unauthorized disclosure, misuse, alteration, destruction, or other compromise because risks could exist for which safeguards have not been designed and implemented.
Recommendation:
ALA recommends the College perform a risk assessment in accordance with 16 CFR § 314. This assessment should evaluate the risks associated with protecting students' financial aid information, covering all essential elements specified in 16 CFR § 314. Additionally, the College should establish a periodic review process to continuously comply with regulatory requirements, maintain a proactive approach to information security, develop an information security program, and implement a comprehensive set of safeguards tailored to address specific risks identified in the risk assessment.
Views of Responsible Officials and Planned Corrective Action:
We agree with the auditor’s finding and recommendations, and the following corrective action will be taken to improve the situation:
• The Director of Computing Services will oversee the review subsections of 16 CFR 314 to ensure compliance with requirements.
o Perform a more thorough GLBA Risk Assessment, which will be used to improve the institution’s security policy and posture. This is outlined in 16 CFR 314(b).
o Improve safeguards and more frequent testing to improve system security and threat transparency will be added, including email security and log file monitoring, in addition to other controls as outlined in 16 CFR 314(c) and (d). Several quotes have been acquired and are in the process of being reviewed.
o Conduct a review of policies and training, as outlined in 16 CFR 314(e), and mitigate deficiencies in awareness training and policies.
o Improve documentation around third-party service providers to ensure compliance with 16 CFR 314(f).
o All response plans are to be reviewed and improved as needed because of the Risk Assessment and other monitoring activities to ensure appropriate activities are included and tested at regular intervals.
o The institution will develop a compliance document to record efforts according to each section of 16 CFR 314, including those areas that are already compliant.
It is the goal of SEARK College to remain in a state of continuous improvement and in compliance with required regulations. The Director of Computing Services will work with the Senior Leadership Team to ensure that appropriate resources are made available, and that activities occur in a timely manner.
Anticipated Completion Date: The indicated reviews and assessments are already in progress, with a goal of June 30, 2024, to have fully integrated the stated improvements into our systems and procedures.
Contact Person: JoAnn Dupra.
Director of Computing Services
Southeast Arkansas College
1900 Hazel St
Pine Bluff, AR 71603
(870) 543-5993
jdupra@seark.edu
Finding Number: 2023-011
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D210039
Federal Award Year(s): 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, the U.S. Department of Education’s Office of Elementary and Secondary Education requires ESSER grantees to submit an Annual Performance Report (APR) with data on expenditures, planned expenditures, subrecipients, and uses of funds.
Condition and Context:
To aid in the completion of year three’s ESSER APR, Agency staff obtained data from the Arkansas Public School Computer Network (APSCN), the accounting system utilized by Local Educational Agencies (LEAs), to monitor program expenditures. The data was compiled by Agency staff and was included on the templates provided by the U.S. Department of Education (ED).
To ensure compliance with line item 3.b1 – LEA Expenditures by ESSER Subgrant Fund and Expenditure Category of the APR, which is identified in the Compliance Supplement as a key line item, ALA performed a review of the data included on the templates that was uploaded to the Annual Reporting Data Collection Tool on the ED website. The template includes data for the 255 participating LEAs.
ALA’s review of the data template revealed a clerical error that reported LEAs’ grand totals as non-LEA expenditures. The clerical error resulted in overstated expenditures in the following categories:
• Meeting students’ academic, social, emotional, and other needs - $89,966,926 overstatement;
• Mental health supports for students and staff - $1,428,542 overstatement;
• Operational continuity and other allowed uses - $62,756,767 overstatement
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Overstated amount - $154,152,235
Cause:
The Agency failed to ensure LEA expenditures reflected in the APSCN report were adequately represented on the ESSER II annual report.
Effect:
Inaccurate data was submitted to the federal awarding agency.
Recommendation:
ALA staff recommend the Agency implement additional procedures and controls over the reporting process to ensure reports are thoroughly reviewed prior to submission.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. ADE Finance completed the named report which contained a subtotal error that overstated the totals when provided to Legislative Auditors. However, logic verifications built into the Federal System disallowed the items mentioned to be submitted. Therefore, the data reflected in Federal reporting for Arkansas was not overstated nor actual expenses and associated drawdowns completed erroneously. This information was confirmed with the U.S. Department of Education (ED) on February 21, 2024.
ADE Finance assures that revisions to the FY23 ESSER data template will be made and uploaded to the Federal Reporting System during the allowable period of July 29, 2024, and August 15, 2024.
Anticipated Completion Date: Data was effectively corrected at the time of reporting within the Federal System. ADE Finance will revise its uploaded FY23 ESSER data template during the allowable period of July 29, 2024, through August 15, 2024.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-012
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund;
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, the U.S. Department of Education’s Office of Elementary and Secondary Education requires ESSER grantees to submit an Annual Performance Report (APR) with data on expenditures, planned expenditures, subrecipients, and uses of funds.
Condition and Context:
To accurately complete the ESSER APR, the Agency prepared a survey to be completed by each of the Local Educational Agencies (LEAs) to capture data to complete specific lines of the APR. The completed surveys were compiled and included on the templates provided by the U.S. Department of Education (ED). The surveys contained the number of staff supported by ESSER funding and the total expenditure amount by position categories. Each LEA utilizes the Arkansas Public School Computer Network (APSCN) to process and track its expenditures. Agency staff also have access to APSCN.
To ensure compliance with line item 3.b10 – LEA Hiring and Retention of Specific Positions of the APR, which is identified in the Compliance Supplement as a key line item, ALA performed a review of the data included on the template that was uploaded to the Annual Reporting Data Collection Tool on the ED website. The template includes data for the 263 participating LEAs.
A sample of 25 LEAs was selected to determine if the data included in the template was supported by data submitted by the LEA on the survey. ALA review revealed that the data uploaded on the template is supported by the surveys completed and submitted by each LEA.
However, the survey data does not represent the salary expenditures reflected in APSCN. As a result, ALA performed a comparison between the total salary and benefit expenditures reflected in APSCN to the total salary and benefit expenditures reported on the APR. ALA review revealed that the total amount reported as expended for staff supported by ESSER funds is understated by $98,192,610. (It should be noted that 22 of the 263 LEAs reported accurate salary expenditures supported by APSCN.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $98,192,610
Cause:
The survey provided by the Agency to capture the data necessary to complete the key line item on the APR did not contain sufficient instructions to ensure each LEA completed the survey accurately. As a result, multiple LEAs submitted inaccurate information and the Agency failed to perform additional procedures to corroborate the survey data provided.
Effect:
Inaccurate data was submitted on the APR.
Recommendation:
ALA staff recommend the Agency strengthen controls over reporting to ensure that amounts reported are accurate, complete, and properly supported by the appropriate records and documentation to ensure compliance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. The ADE Finance unit utilized data extracted from the statewide Local Educational Agencies (LEAs) system, APSCN, for the majority of parameters reported. However, APSCN does not have the ability to cross-reference financial expenses with Local Educational Agency’s (LEAs) personnel data, which led to the creation of the survey. LEAs were expected to report data during a subsequent school year post COVID-19 Pandemic. ADE gathered state total expenses for requested categories from the system compiled with the requested breakdowns by position type obtained in the manual survey. The two data sets did not align, thus seen in Questioned Costs which reflects the difference between the two datasets. LEA actual expenses, associated drawdowns, and disbursements were not affected by the amounts reported in the annual ESSER data.
ADE Finance is currently working with APSCN personnel to explore options for assembling data without manual input from LEAs. When implemented, discrepancies in the state data reported to federal systems and LEAs data should not exist. ADE has the goal of utilizing this method for FY23 reporting in May 2024.
Anticipated Completion Date: ADE Finance will revise its uploaded FY22 ESSER data template during the allowable period of July 29, 2024, through August 15, 2024.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-013
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, 2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the grant award.
Condition and Context:
To ensure compliance with year three’s ESSER Annual Performance Report (APR), ALA performed a review of line item 5.a – Full-Time Equivalent (FTE) Positions, which is identified in the Compliance Supplement as a key line item, to determine if the information reported was accurate and properly supported with accounting records for Local Educational Agencies (LEAs) and non-LEAs. Agency staff utilized the template provided by the U.S. Department of Education (ED) to upload data to the Annual Reporting Data Collection Tool. The template includes data for the 256 participating LEAs and 41 non-LEAs.
The Agency estimated the FTE position data for non-LEAs based on websites and other available information but did not maintain supporting documentation for the information reported to the federal awarding agency. As a result, ALA staff were unable to verify that the data was accurate and complete.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency did not maintain appropriate supporting documentation.
Effect:
The accuracy of data submitted to the federal awarding agency is unknown.
Recommendation:
ALA staff recommend the Agency strengthen internal controls over the review of special reports to ensure reported data is appropriately supported in accordance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. ADE Finance understands the importance of supporting documentation for non-LEAs and has implemented a plan for FY23 communications. Furthermore, ADE Finance conducted follow-up communication with the U.S. Department of Education (ED) on March 1, 2024. It was concluded that FTE position data for non-LEAs were optional for Years 1 and 2 Annual Performance Reports per the ESSER Form Review Webinar Guidance. ADE was further instructed to omit non-LEA information from the template should it be unreasonable to provide for the FY22 reporting year in question.
ADE will ensure non-LEA entities provide the requested 5.a – Full-Time Equivalent (FTE) Compliance Supplement information for supporting documentation with FY23 and subsequent Reporting Periods.
Anticipated Completion Date: May 2024. ADE Finance is coordinating communication with non-Local Educational Agencies (non-LEAs) in effort to revise the data for FY22, however will omit the related data per U.S. Department of Education (ED) guidance provided on March 1, 2024, should non-LEAs be unable to provide quality data.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-012
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund;
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, the U.S. Department of Education’s Office of Elementary and Secondary Education requires ESSER grantees to submit an Annual Performance Report (APR) with data on expenditures, planned expenditures, subrecipients, and uses of funds.
Condition and Context:
To accurately complete the ESSER APR, the Agency prepared a survey to be completed by each of the Local Educational Agencies (LEAs) to capture data to complete specific lines of the APR. The completed surveys were compiled and included on the templates provided by the U.S. Department of Education (ED). The surveys contained the number of staff supported by ESSER funding and the total expenditure amount by position categories. Each LEA utilizes the Arkansas Public School Computer Network (APSCN) to process and track its expenditures. Agency staff also have access to APSCN.
To ensure compliance with line item 3.b10 – LEA Hiring and Retention of Specific Positions of the APR, which is identified in the Compliance Supplement as a key line item, ALA performed a review of the data included on the template that was uploaded to the Annual Reporting Data Collection Tool on the ED website. The template includes data for the 263 participating LEAs.
A sample of 25 LEAs was selected to determine if the data included in the template was supported by data submitted by the LEA on the survey. ALA review revealed that the data uploaded on the template is supported by the surveys completed and submitted by each LEA.
However, the survey data does not represent the salary expenditures reflected in APSCN. As a result, ALA performed a comparison between the total salary and benefit expenditures reflected in APSCN to the total salary and benefit expenditures reported on the APR. ALA review revealed that the total amount reported as expended for staff supported by ESSER funds is understated by $98,192,610. (It should be noted that 22 of the 263 LEAs reported accurate salary expenditures supported by APSCN.)
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $98,192,610
Cause:
The survey provided by the Agency to capture the data necessary to complete the key line item on the APR did not contain sufficient instructions to ensure each LEA completed the survey accurately. As a result, multiple LEAs submitted inaccurate information and the Agency failed to perform additional procedures to corroborate the survey data provided.
Effect:
Inaccurate data was submitted on the APR.
Recommendation:
ALA staff recommend the Agency strengthen controls over reporting to ensure that amounts reported are accurate, complete, and properly supported by the appropriate records and documentation to ensure compliance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. The ADE Finance unit utilized data extracted from the statewide Local Educational Agencies (LEAs) system, APSCN, for the majority of parameters reported. However, APSCN does not have the ability to cross-reference financial expenses with Local Educational Agency’s (LEAs) personnel data, which led to the creation of the survey. LEAs were expected to report data during a subsequent school year post COVID-19 Pandemic. ADE gathered state total expenses for requested categories from the system compiled with the requested breakdowns by position type obtained in the manual survey. The two data sets did not align, thus seen in Questioned Costs which reflects the difference between the two datasets. LEA actual expenses, associated drawdowns, and disbursements were not affected by the amounts reported in the annual ESSER data.
ADE Finance is currently working with APSCN personnel to explore options for assembling data without manual input from LEAs. When implemented, discrepancies in the state data reported to federal systems and LEAs data should not exist. ADE has the goal of utilizing this method for FY23 reporting in May 2024.
Anticipated Completion Date: ADE Finance will revise its uploaded FY22 ESSER data template during the allowable period of July 29, 2024, through August 15, 2024.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-013
State/Educational Agency(s): Arkansas Department of Education
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 84.425D – COVID 19: Elementary and Secondary School
Emergency Relief (ESSER) Fund
84.425U – COVID 19: American Rescue Plan – Elementary and
Secondary School Emergency Relief (ARP ESSER)
Federal Awarding Agency: U.S. Department of Education
Federal Award Number(s): S425D2000039; S425D210039; S425U210039
Federal Award Year(s): 2020 and 2021
Compliance Requirement(s) Affected: Reporting
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.302, the auditee must provide an accurate, current, and complete disclosure of the financial results of each federal award or program in accordance with the reporting requirements.
In addition, 2 CFR § 200.303(a) requires a non-federal entity to establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the award in compliance with federal statutes, regulations, and the terms and conditions of the grant award.
Condition and Context:
To ensure compliance with year three’s ESSER Annual Performance Report (APR), ALA performed a review of line item 5.a – Full-Time Equivalent (FTE) Positions, which is identified in the Compliance Supplement as a key line item, to determine if the information reported was accurate and properly supported with accounting records for Local Educational Agencies (LEAs) and non-LEAs. Agency staff utilized the template provided by the U.S. Department of Education (ED) to upload data to the Annual Reporting Data Collection Tool. The template includes data for the 256 participating LEAs and 41 non-LEAs.
The Agency estimated the FTE position data for non-LEAs based on websites and other available information but did not maintain supporting documentation for the information reported to the federal awarding agency. As a result, ALA staff were unable to verify that the data was accurate and complete.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency did not maintain appropriate supporting documentation.
Effect:
The accuracy of data submitted to the federal awarding agency is unknown.
Recommendation:
ALA staff recommend the Agency strengthen internal controls over the review of special reports to ensure reported data is appropriately supported in accordance with federal laws and regulations.
Views of Responsible Officials and Planned Corrective Action:
Arkansas Department of Education recognizes this finding. ADE Finance understands the importance of supporting documentation for non-LEAs and has implemented a plan for FY23 communications. Furthermore, ADE Finance conducted follow-up communication with the U.S. Department of Education (ED) on March 1, 2024. It was concluded that FTE position data for non-LEAs were optional for Years 1 and 2 Annual Performance Reports per the ESSER Form Review Webinar Guidance. ADE was further instructed to omit non-LEA information from the template should it be unreasonable to provide for the FY22 reporting year in question.
ADE will ensure non-LEA entities provide the requested 5.a – Full-Time Equivalent (FTE) Compliance Supplement information for supporting documentation with FY23 and subsequent Reporting Periods.
Anticipated Completion Date: May 2024. ADE Finance is coordinating communication with non-Local Educational Agencies (non-LEAs) in effort to revise the data for FY22, however will omit the related data per U.S. Department of Education (ED) guidance provided on March 1, 2024, should non-LEAs be unable to provide quality data.
Contact Person: Amy Thomas
Accounting Operations Manager
Arkansas Department of Education
Four Capitol Mall, Room 204
Little Rock, AR 72201
501-682-3636
Amy.Thomas@ade.arkansas.gov
Finding Number: 2023-014
State/Educational Agency(s): Arkansas Department of Finance and Administration –
Office of Child Support Enforcement
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.563 – Child Support Enforcement
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 2201ARCSES
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Allowable Costs/Cost Principles;
Cash Management;
Matching, Level of Effort, Earmarking
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
In addition, 45 CFR § 75.403(f) states that factors affecting the allowability of costs include ensuring the costs were not included as a cost of any other federally financed program in either the current or a prior period.
Condition and Context:
During the reconciliation of expenditures, ALA reviewed all miscellaneous revenue and other receipts to determine if the Agency calculated the correct state match and used allowable sources of revenue.
ALA review revealed that the Agency received a one-time transfer from the Coronavirus Aid, Relief and Economic Security (CARES) Act federal program (ALN # 21.019) totaling $760,938. These funds were used to reimburse the Agency’s payroll expenditures, which is allowable. However, the Agency failed to reduce its subsequent request for reimbursement from the Child Support Enforcement program by the $760,938 it had received from CARES Act funds. As a result, the Agency was reimbursed an additional $502,219 ($760,938 x 66%) for the same payroll expenditures from the Child Support Enforcement program, which is unallowable.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$ 502,219
Cause:
The Agency did not remove CARES Act funds used as reimbursement for a portion of payroll expenditures from its subsequent matching calculation for the Child Support Enforcement Program.
Effect:
The Agency received reimbursement in excess of what was allowable resulting in a liability, totaling $502,219, to the federal awarding agency of the Child Support Enforcement Program.
Recommendation:
ALA staff recommend the Agency strengthen internal controls over the affected compliance areas to ensure all costs reimbursed by another federal program are adequately tracked and removed from the reimbursement request for the Child Support Enforcement Program. In addition, ALA staff recommend the Agency contact the federal awarding agency to resolve this matter.
Views of Responsible Officials and Planned Corrective Action:
The agency agrees with the finding. We found an error in the formula of the worksheet used for the preparation and submission of the quarterly expenditure report. The error resulted in not properly reporting the CARES Act reimbursement.
The agency will report to the federal Child Support Services program to account for the over-reimbursement of federal share of expenditures. The error in the specific worksheet that resulted in the over-reporting of allowed expenditures has been corrected. Further, the agency will perform a review of all other subsidiary reports and worksheets that are used in preparation of the federal expenditure reports. This will be done in order to ensure that the federal reports are prepared accurately. Additionally, procedures for review of report preparation will be enhanced to further strengthen internal controls.
Anticipated Completion Date: Correction of the specific worksheet deficiency has been completed. Corrections to the federal reports to account for the over-reimbursement will be completed in the next federal reporting cycle due on May 15, 2024. Review of all other subsidiary reports and worksheets and the enhanced report preparation review is part of an ongoing project to be completed no later than August 15, 2024.
Contact Person: Robert Hallmark
Agency Controller II Agency Controller II
Department of Finance and Administration-Office of Child Support Enforcement
322 S Main St, Suite 100
Little Rock, AR 72201
501-682-6306
Robert.Hallmark@ocse.arkansas.gov
Finding Number: 2023-015
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): Various
Federal Award Year(s): Various
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable.
Criteria:
In accordance with 45 CFR 1356.40(b)(1), the adoption assistance agreement must be signed and in effect at the time of or prior to the final decree of adoption. The adoption assistance agreement is defined at 42 USC 675(3).
Condition and Context:
ALA staff reviewed 60 client adoption files to ensure sufficient, appropriate evidence was provided to support the Agency’s determination of eligibility. The clients selected for testing had adoption legalization dates that spanned from March 2006 to April 2023. The review revealed deficiencies as summarized below:
• One client file, with an adoption legalization date of July 16, 2010, did not contain a signed subsidy agreement. The adoptive parents received monthly subsidy payments from August 2010 - present. Questioned costs representing the federal portion, totaled $51,098, as follows:
$3,281 - SFY 2011
$3,487 - SFY 2012
$3,648 - SFY 2013
$3,702 - SFY 2014
$3.784 - SFY 2015
$3,708 - SFY 2016
$3,684 - SFY 2017
$3,726 - SFY 2018
$3,918 - SFY 2019
$4,190 - SFY 2020
$4,370 - SFY 2021
$4,594 - SFY 2022
$4,637 - SFY 2023
$ 369 - SFY 2024
• Two subsidy agreements, with adoption legalized dates of March 9, 2006, and May 27, 2009, respectively, were signed but not dated by the adoptive parents. However, the agreements were signed and dated by the Division of Child and Family Services (DCFS) Director.
• One subsidy agreement, signed and dated by the adoptive parents and DCFS Director, stated the adoptive family qualified for a “deferred subsidy.” The agreement did not authorize a federal subsidy at the time of adoption. A keying error in the Children’s Reporting and Information System (CHRIS) caused the adoptive family to begin receiving a federal subsidy on the decree of adoption date. The adoptive parents received three unauthorized monthly subsidy payments in state fiscal year 2023. Questioned costs representing the federal portion, totaled $737.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$51,835
Cause:
DCFS did not maintain sufficient records to support the adoption subsidy agreement with the parents of the adopted child.
Effect:
DCFS does not have adequate documentation supporting the eligibility of federal adoption subsidy payments made on behalf of adopted children.
Recommendation:
ALA staff recommend the Agency continue providing adequate communication with and training to appropriate personnel to ensure compliance with program requirements and retention of documentation.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency has updated its documented controls to require confirmation that agreements are signed by all parties before processing adoption subsidy packets. Adoption staff will be trained on the updated controls.
Anticipated Completion Date: 3/31/2024
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-016
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): Various
Federal Award Year(s): Various
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 42 USC § 673 (a)(4)(A) and (B), a payment may not be made to parents with respect to a child if the state determines that the parents are no longer legally responsible for the support of the child or if the state determines that the child is no longer receiving any support from the parents. Parents who have been receiving adoption assistance payments shall keep the state, administering the program, informed of circumstances that would make them ineligible for the payments.
In accordance with 45 CFR § 75.303, a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. These controls should be in compliance with Green Book or COSO guidance.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
Condition and Context:
When an adoptive parent is no longer legally responsible for the support of the child (i.e., death of parent, termination of parental rights, child no longer receiving support from parent), the Adoption Unit must be notified in order to end the adoption subsidy. However, the notifications are not always timely, and the required information entered into the Children’s Reporting and Information System (CHRIS) can be delayed, resulting in payments made to parents past the subsidy end date. As a result, the Agency established internal control procedures to identify these types of payments and the overpayment information is provided to the accounts receivable department for collection.
ALA obtained a report from Division of Children and Family Services (DCFS) staff that contained all subsidy overpayments for the state fiscal year ended June 30, 2023. The report revealed subsidy overpayments for 29 clients with payments made to 22 providers. ALA reviewed documentation for five clients to ensure that the overpayments were researched and properly submitted for collection and that proper collection efforts were made by the accounts receivable department.
ALA review revealed the following deficiencies:
• Three subsidy payments, totaling $1,016, were made on behalf of three children subsequent to the death of the provider. The adoption unit failed to properly research the event to determine if an overpayment had occurred. As a result, questioned costs representing the federal portion, totaled $787.
• Two subsidy payments, totaling $1,170, were made subsequent to the death of one client. The adoption unit failed to properly research the event to determine if an overpayment had occurred. As a result, questioned costs representing the federal portion, totaled $908.
Condition and Context (Continued):
• The Agency did not receive timely notification that parental rights had been terminated for three clients. As a result, 91 subsidy payments, totaling $40,638, were processed in error. A portion of these payments dated back to prior fiscal years 2018 through 2022. Additionally, when discovered, the overpayment information sent to the accounts receivable department for two clients was not complete. Questioned costs representing the federal portion, totaled $30,713, as follows:
$2,837 - SFY 2018
$3,749 - SFY 2019
$4,190 - SFY 2020
$5,738 - SFY 2021
$9,457 - SFY 2022
$4,742 - SFY 2023
The following discoveries contributed to the errors regarding the overpayments for the three clients noted above and are as follows:
• For two of the three clients whose overpayment balance was submitted to Accounts Receivable (A/R) for collection, A/R failed to send the Notice of Collection letters to the providers. The letter is sent via certified mail, and the provider is required to sign for the letter. The signed notice is required before A/R can pursue any legal action to collect the overpayment from the provider.
• For three providers, the subsidy overpayment was recorded in the Agency’s accounts receivable system (AROPTS) as a Foster Care Board overpayment. As a result, the Demand Notice and the Notice to Intercept State Income Tax Refund(s) sent to the provider misrepresented the overpayment as Foster Care instead of Adoption Assistance.
• In one instance, the Demand Notice and the Notice to Intercept State Income Tax Refund(s) sent to the provider included inaccurate overpayment information. Each notice letter included different overpayment information and did not agree to the overpayment amount submitted from the Adoption Unit to A/R.
• One provider submitted a reimbursement totaling $920, but it was not properly recorded by A/R. As a result, the overpayment balance was not appropriately reduced.
Further discussion with the Agency revealed that adjustments have not been made for these overpayments on the quarterly federal financial reports or communicated with the federal awarding agency.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$32,408
Cause:
The internal control process for identifying, researching, calculating, and submitting overpayments to A/R is not adequate. In addition, internal control procedures for processing and collecting overpayments by A/R are not adequate. Finally, the adoption unit is not notified of relevant events timely resulting in the ending of a subsidy.
Effect:
The Division of Children and Family Services does not have an adequate process in place to accurately identify and calculate overpayments and properly notify the Agency’s A/R department that an overpayment has occurred. In addition, the Agency’s A/R department does not have an adequate process in place to effectively and efficiently attempt to collect adoption subsidy overpayments. Finally, the federal awarding agency may require recoupment.
Recommendation:
ALA staff recommend the Agency immediately update its internal control procedures document regarding the overpayment processes and provide relevant training to staff. In addition, ALA staff recommend the Agency immediately develop procedures for notifying the Adoption Unit of the termination of adoptive parent parental rights to ensure subsidy end date information is processed timely.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency has updated its internal controls procedures to require enhanced review of payments made after the death of a provider or a client and enhanced monitoring of when a client is removed from an adoptive parent’s home. The Accounts Receivable Unit in the Office of Finance has implemented systems changes that ensures all claims will generate a collections notice with the correct claims data. The noted outstanding collection notices have been sent and data entry errors have been corrected.
Anticipated Completion Date: Complete
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-017
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): 2301ARADPT; 2201ARADPT; 2101ARADPT
Federal Award Year(s): 2021, 2022, and 2023
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking
Type of Finding: Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over a federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award.
Additionally, 45 CFR 75.342(a) states that a non-federal entity is responsible for the oversight of operations for federal award supported activities. The non-federal entity must monitor its activities to assure compliance with applicable federal requirements.
Since federal fiscal year 2010, federal regulations have required states to apply less restrictive program eligibility requirements to children who meet specific criteria. This can result in additional federal funding and, therefore, a reduction in state costs. Federal regulations at 42 USC 673(a)(8) require the Agency to calculate the amount saved, if any, and spend an equal amount on certain program services. Maintaining this state spending at the appropriate level is referred to as level of effort.
The Agency is also required to spend no less than 30 percent of any such savings on post-adoption services, post guardianship services, and services to support and sustain positive permanent outcomes for children who might otherwise enter the State’s foster care program. The Agency must accurately report these amounts to the federal grantor on the Annual Adoption Savings Report.
Condition and Context:
ALA staff requested the Agency’s internal control procedures over the level of effort – adoption savings requirement. Additionally, ALA staff requested the file tracking the excess funds used as savings. This review revealed the following deficiencies:
• The Agency was unable to provide documented internal controls addressing any of the five elements of COSO for the time period under review.
• The Agency was unable to provide documentation to support that it was monitoring adoption savings activities to ensure compliance with Level of Effort requirements.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency has not established an internal control process for tracking or monitoring state-funded spending and completing the Annual Adoption Savings Report. It is noted that the Division responsible for the report and monitoring the level of effort requirement has recently experienced significant employee turnover.
Effect:
Without a system to accurately account for and record expenditures related to adoption savings, the Agency could not demonstrate it spent the amount reported. Inadequate controls for effectively monitoring compliance could result in failure to meet level of effort requirement and also limit the Agency’s ability to effectively manage the grant.
Recommendation:
ALA staff recommend the Agency establish internal controls to track state-funded spending. In addition, the Agency should establish written policies and procedures specifying how the Agency will determine the amount of adoption assistance savings and subsequent expenditures of those savings to be reported to the grantor. Finally, ALA staff recommend the Agency review maintenance of effort reports to ensure the amount of expenditures reported to the grantor has been accurately determined and is adequately supported.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will develop a procedure to monitor and accurately report adoption savings activities and will submit an updated Adoption Savings Report to correct any previously incorrectly reported amounts.
Anticipated Completion Date: 3/31/2024
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-018
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.659 – Adoption Assistance
Federal Awarding Agency: U.S. Department of Human Services
Federal Award Number(s): 2201ARADPT
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking;
Reporting
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
45 CFR 75.342(a) states that a non-federal entity is responsible for the oversight of operations for federal award supported activities. The non-federal entity must monitor its activities to assure compliance with applicable federal requirements.
Since federal fiscal year 2010, federal regulations have required states to apply less restrictive program eligibility requirements to children who meet specific criteria. This can result in additional federal funding and, therefore, a reduction in state costs. Federal regulations at 42 USC 673(a)(8) require the Agency to calculate the amount saved, if any, and spend an equal amount on certain program services. Maintaining this state spending at the appropriate level is referred to as level of effort.
The Agency is also required to spend no less than 30 percent of any such savings on post-adoption services, post guardianship services, and services to support and sustain positive permanent outcomes for children who might otherwise enter the State’s foster care program. The Agency must accurately report these amounts to the federal grantor on the Annual Adoption Savings Report.
According to the supplemental terms and conditions relating to Title IV-E programs from the federal awarding agency, the Annual Adoption Savings Report (Part 4) must be submitted no later than 30 days following the end of the federal fiscal year (i.e., no later than October 30). (See 45 CFR §201.5 and 45 CFR §1355.30(n)(1).)
Condition and Context:
ALA staff reviewed the Annual Adoption Savings Calculation and Accounting report for period ended September 30, 2022. ALA staff requested documentation supporting the amount spent on program services utilizing the adoption savings to ensure the expenditures were sufficient to equal the savings calculated and reported. This review revealed the following deficiencies:
• The Annual Adoption Savings Report for the period ended September 30, 2022 was incomplete and the data used in preparing the report calculation was not adequately supported.
• The Annual Adoption Savings Report was not submitted within established time constraints.
• The Agency was unable to provide documentation to support that it was tracking the annual adoption savings amounts in order to meet the level of effort compliance requirements.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency has not established an internal control process for tracking or monitoring state-funded spending and completing the Annual Adoption Savings Report. It was noted that the Division responsible for the report and monitoring the level of effort requirement has recently experienced significant employee turnover.
Effect:
Without a system to accurately account for and record expenditures related to adoption savings, the Agency could not demonstrate it spent the amount reported. The grant agreement allows the grantor to take action for noncompliance that can include temporarily withholding funds, wholly or partly suspending or terminating the award, and withholding further awards from the program.
Recommendation:
ALA staff recommend the Agency establish internal controls to track state-funded spending. In addition, the Agency should establish written policies and procedures specifying how the Agency will determine the amount of adoption assistance savings and subsequent expenditures of those savings to be reported to the grantor. Finally, ALA staff recommend the Agency review maintenance of effort reports to ensure the amount of expenditures reported to the grantor has been accurately determined, is adequately supported, and is submitted timely.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will develop a procedure to monitor and accurately report adoption savings activities and will submit an updated Adoption Savings Report to correct any previously incorrectly reported amounts.
Anticipated Completion Date: 3/31/2024
Contact Person: Tiffany Wright
Director, Division of Children and Family Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-396-6477
Tiffany.Wright@dhs.arkansas.gov
Finding Number: 2023-019
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Allowable Costs/Cost Principles -
Managed Care Medical Loss Ratio (PASSE and Dental)
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-026.
Criteria:
In a final rule, published in the Federal Register on May 6, 2016 (81 FR 27498), the Centers for Medicare and Medicaid Services (CMS) adopted Medical Loss Ratio (MLR) requirements for Medicaid and Children’s Health Insurance Program (CHIP) managed care programs. One of the requirements is that a state must require each Medicaid managed care plan to calculate and report an MLR for rating periods starting on or after July 1, 2017. Each CHIP managed care plan is required to calculate and report an MLR for rating periods for state fiscal years beginning on or after July 1, 2018.
In accordance with 42 CFR § 438.8(c), if a state elects to mandate a minimum MLR, that minimum must be equal to or higher than 85%. 42 CFR § 438.8(j) indicates that if the state requires a minimum MLR to be met and if it is not met, there must be remittance to the state. Sections 9.3.1, 12.2.1, and 12.2.2 of the Dental Managed Care contracts state that the Dental Managed Care entities must submit a report detailing the calculation of its MLR on the 15th day of August in the year following the completion of each calendar year and that the MLR will be used to enforce a rebate at the end of the year.
Also, per 42 CFR § 438.5(c)(1), states must provide audited financial reports to the actuary, who determines capitation rates, for the three most recent and complete years for the managed care entities. These reports must be specific to the Medicaid contract and in accordance with generally accepted accounting principles and generally accepted auditing standards.
Finally, with regard to capitation rate setting for certain Managed Care Organization (MCO) plans, prior approval must be obtained as required, in accordance with the regulations below:
• 42 CFR § 438.4(b) - Capitation rates for MCOs must be reviewed and approved by CMS as actuarially sound and must be provided to CMS in an approved format and within a timeframe that meets the requirements defined by 42 CFR § 438.7.
• 42 CFR § 438.7(a) - States must submit all MCO rate certifications concurrent with the review and approval process for contracts as specified in 42 CFR § 438.3(a).
• 42 CFR § 438.3(a) - CMS must review and approve all contracts, including those contracts that are not subject to the prior approval requirements in 42 CFR § 438.806. For states seeking approval of contracts prior to a specific effective date, proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract.
• 42 CFR § 438.3(c) - The capitation rate and the receipt of capitation payments under the contract must be specifically identified in the applicable contract submitted for CMS review and approval.
Criteria (Continued):
• 42 CFR § 438.806(b) - For MCO contracts, prior approval by CMS is a condition of Federal Financial Participation (FFP) under any MCO contract that has a value equal to or greater than the following threshold amounts: $1,000,000 for 1998 (the value for all subsequent years is increased by the percentage increase in the consumer price index). FFP is not available in an MCO contract that does not have prior approval from CMS.
Condition and Context:
ALA reviewed the Dental Managed Care program and the Provider-Led Arkansas Shared Savings Entity (PASSE) managed care program for compliance with the various managed care MLR requirements. As a result of procedures performed, the following deficiencies were noted:
Dental Managed Care:
• The calendar year 2021 MLR calculation for one of the two Dental Managed Care entities reflected a remittance, totaling $2,094,667, which was due to the State no later than December 31, 2022. However, the remittance still had not been made as of fieldwork date (November 3, 2023). Total questioned costs related to the federal portion of these expenditures were $1,485,140 and $150,870 for Medicaid and CHIP, respectively.
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the Dental Managed Care program was effective beginning January 1, 2018, audited financial reports from calendar years 2019, 2020, and 2021 for the two Dental Managed Care entities should have been provided.
PASSE:
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the PASSE managed care program was effective beginning March 1, 2019, audited financial reports from calendar years 2019, 2020, and 2021 for three of the four PASSEs should have been provided. (The three PASSEs are AR Total Care, Empower, and Summit’ CareSource did not participate in the PASSE program until calendar year 2022).
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2022 PASSE contracts or rates prior to the start of calendar year 2022. Previously approved calendar year 2021 rates continued to be paid throughout all of calendar year 2022. Documentation obtained shows that the original calendar year 2022 PASSE contracts that were effective through September 30, 2022, were submitted to CMS for approval on January 5, 2021, that PASSE amendments extending the PASSE contracts through December 31, 2022, were submitted to CMS for approval on October 7, 2022, and the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022. Multiple calendar year 2022 rate submissions have occurred since the initial rates were submitted, with the most recent submission occurring on June 21, 2023.
Condition and Context (Continued):
PASSE (Continued):
As of fieldwork date, November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2022 PASSE contracts or rates.
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2023 PASSE contracts or rates prior to the start of calendar year 2023. Previously approved calendar year 2021 rates were initially paid, but were later adjusted to the calendar year 2023 rates. Documentation obtained shows that the calendar year 2023 PASSE contracts and rates were submitted to CMS for approval on November 28, 2022. As of fieldwork date of November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2023 PASSE contracts or rates.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,485,140 (Medicaid)
$ 150,870 (CHIP)
Cause:
The Agency did not adequately develop or implement procedures to ensure that the various managed care MLR requirements were met.
Effect:
Failure to adequately develop and implement appropriate internal control procedures limits the Agency’s ability to adequately monitor the program to ensure compliance.
Recommendation:
ALA staff recommend the Agency develop and implement control procedures for managed care MLR requirements for both the Dental and PASSE managed care programs to ensure that the required audited financial reports are provided; calculated Dental Managed Care MLR remittances due are received timely, in accordance with the terms and conditions included in the Dental Managed Care contracts; and PASSE contracts and capitation rates receive prior approval from CMS as required.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, this finding. The noted MLR remittance was submitted for collection on December 12, 2023. The agency has developed and implemented a process to collect all MLR rebates through monthly capitation payments. The agency will amend its Dental Managed Care contract to address this recoupment process.
The agency has provided its actuary with the audited financial statements for all Dental Managed Care and PASSE entities dating back to the beginning of these programs and will update its internal control to clarify the process for calculating the three years of reports that must be submitted to the actuary.
The agency disagrees that approved contracted rates were not being used for calendar year 2022. 42 CFR § 438.4(b) only requires that capitation rates be set at an actuarially sound rate for a specified time period. The requirement to receive approval for capitated rates does not mean that states are required to use previously approved rates from a prior year until a new one is approved. Actuarial best practices dictate that it is not appropriate to pay actuarial rates developed for a prior time period because there may be material differences in trend rates, covered benefits, provider reimbursement, and covered populations. Instead, it is optimal to use rates specifically developed for the applicable time limit even if CMS has not approved the rates. By using this approach, the agency ensures that it is paying MCO’s and PASSE’s capitation rates developed to be consistent with their financial responsibilities. Continued adherence to this practice is necessary as CMS consistently approves rates well after the beginning of the contract year. While CMS approval is beyond the agency’s control, agency controls and contracts have been updated to ensure rates and contracts are submitted 90 days prior to the start of the contract year.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA agrees that the actuary was provided with the audited financials. However, 42 CFR § 438.5(c)(1), states that the audited financial reports are to be those as defined at 42 CFR § 438.3(m), which those provided were not. See finding 2023-023 for further details.
ALA agrees that continuing to pay rates from a prior year until a new one is approved is also not appropriate. As a MCO plan, PASSE contracts and rates must receive prior CMS approval. No documentation was provided to show that this was obtained for calendar years 2022 and 2023.
Finally, although the timeliness of receiving CMS approval is ultimately beyond the agency’s control, 42 CFR § 438.3(a) indicates that proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract. As noted above, based upon documentation provided, the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022, and the initial calendar year 2023 rates were submitted to CMS for approval on November 28, 2022.
Finding Number: 2023-019
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Allowable Costs/Cost Principles -
Managed Care Medical Loss Ratio (PASSE and Dental)
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-026.
Criteria:
In a final rule, published in the Federal Register on May 6, 2016 (81 FR 27498), the Centers for Medicare and Medicaid Services (CMS) adopted Medical Loss Ratio (MLR) requirements for Medicaid and Children’s Health Insurance Program (CHIP) managed care programs. One of the requirements is that a state must require each Medicaid managed care plan to calculate and report an MLR for rating periods starting on or after July 1, 2017. Each CHIP managed care plan is required to calculate and report an MLR for rating periods for state fiscal years beginning on or after July 1, 2018.
In accordance with 42 CFR § 438.8(c), if a state elects to mandate a minimum MLR, that minimum must be equal to or higher than 85%. 42 CFR § 438.8(j) indicates that if the state requires a minimum MLR to be met and if it is not met, there must be remittance to the state. Sections 9.3.1, 12.2.1, and 12.2.2 of the Dental Managed Care contracts state that the Dental Managed Care entities must submit a report detailing the calculation of its MLR on the 15th day of August in the year following the completion of each calendar year and that the MLR will be used to enforce a rebate at the end of the year.
Also, per 42 CFR § 438.5(c)(1), states must provide audited financial reports to the actuary, who determines capitation rates, for the three most recent and complete years for the managed care entities. These reports must be specific to the Medicaid contract and in accordance with generally accepted accounting principles and generally accepted auditing standards.
Finally, with regard to capitation rate setting for certain Managed Care Organization (MCO) plans, prior approval must be obtained as required, in accordance with the regulations below:
• 42 CFR § 438.4(b) - Capitation rates for MCOs must be reviewed and approved by CMS as actuarially sound and must be provided to CMS in an approved format and within a timeframe that meets the requirements defined by 42 CFR § 438.7.
• 42 CFR § 438.7(a) - States must submit all MCO rate certifications concurrent with the review and approval process for contracts as specified in 42 CFR § 438.3(a).
• 42 CFR § 438.3(a) - CMS must review and approve all contracts, including those contracts that are not subject to the prior approval requirements in 42 CFR § 438.806. For states seeking approval of contracts prior to a specific effective date, proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract.
• 42 CFR § 438.3(c) - The capitation rate and the receipt of capitation payments under the contract must be specifically identified in the applicable contract submitted for CMS review and approval.
Criteria (Continued):
• 42 CFR § 438.806(b) - For MCO contracts, prior approval by CMS is a condition of Federal Financial Participation (FFP) under any MCO contract that has a value equal to or greater than the following threshold amounts: $1,000,000 for 1998 (the value for all subsequent years is increased by the percentage increase in the consumer price index). FFP is not available in an MCO contract that does not have prior approval from CMS.
Condition and Context:
ALA reviewed the Dental Managed Care program and the Provider-Led Arkansas Shared Savings Entity (PASSE) managed care program for compliance with the various managed care MLR requirements. As a result of procedures performed, the following deficiencies were noted:
Dental Managed Care:
• The calendar year 2021 MLR calculation for one of the two Dental Managed Care entities reflected a remittance, totaling $2,094,667, which was due to the State no later than December 31, 2022. However, the remittance still had not been made as of fieldwork date (November 3, 2023). Total questioned costs related to the federal portion of these expenditures were $1,485,140 and $150,870 for Medicaid and CHIP, respectively.
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the Dental Managed Care program was effective beginning January 1, 2018, audited financial reports from calendar years 2019, 2020, and 2021 for the two Dental Managed Care entities should have been provided.
PASSE:
• Audited financial reports were not provided to the actuary for the three most recent and complete years prior to the reporting period. As the PASSE managed care program was effective beginning March 1, 2019, audited financial reports from calendar years 2019, 2020, and 2021 for three of the four PASSEs should have been provided. (The three PASSEs are AR Total Care, Empower, and Summit’ CareSource did not participate in the PASSE program until calendar year 2022).
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2022 PASSE contracts or rates prior to the start of calendar year 2022. Previously approved calendar year 2021 rates continued to be paid throughout all of calendar year 2022. Documentation obtained shows that the original calendar year 2022 PASSE contracts that were effective through September 30, 2022, were submitted to CMS for approval on January 5, 2021, that PASSE amendments extending the PASSE contracts through December 31, 2022, were submitted to CMS for approval on October 7, 2022, and the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022. Multiple calendar year 2022 rate submissions have occurred since the initial rates were submitted, with the most recent submission occurring on June 21, 2023.
Condition and Context (Continued):
PASSE (Continued):
As of fieldwork date, November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2022 PASSE contracts or rates.
• No documentation was provided to substantiate that the Agency received approval from CMS for the calendar year 2023 PASSE contracts or rates prior to the start of calendar year 2023. Previously approved calendar year 2021 rates were initially paid, but were later adjusted to the calendar year 2023 rates. Documentation obtained shows that the calendar year 2023 PASSE contracts and rates were submitted to CMS for approval on November 28, 2022. As of fieldwork date of November 8, 2023, the Agency has still not received CMS approval for either the calendar year 2023 PASSE contracts or rates.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,485,140 (Medicaid)
$ 150,870 (CHIP)
Cause:
The Agency did not adequately develop or implement procedures to ensure that the various managed care MLR requirements were met.
Effect:
Failure to adequately develop and implement appropriate internal control procedures limits the Agency’s ability to adequately monitor the program to ensure compliance.
Recommendation:
ALA staff recommend the Agency develop and implement control procedures for managed care MLR requirements for both the Dental and PASSE managed care programs to ensure that the required audited financial reports are provided; calculated Dental Managed Care MLR remittances due are received timely, in accordance with the terms and conditions included in the Dental Managed Care contracts; and PASSE contracts and capitation rates receive prior approval from CMS as required.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, this finding. The noted MLR remittance was submitted for collection on December 12, 2023. The agency has developed and implemented a process to collect all MLR rebates through monthly capitation payments. The agency will amend its Dental Managed Care contract to address this recoupment process.
The agency has provided its actuary with the audited financial statements for all Dental Managed Care and PASSE entities dating back to the beginning of these programs and will update its internal control to clarify the process for calculating the three years of reports that must be submitted to the actuary.
The agency disagrees that approved contracted rates were not being used for calendar year 2022. 42 CFR § 438.4(b) only requires that capitation rates be set at an actuarially sound rate for a specified time period. The requirement to receive approval for capitated rates does not mean that states are required to use previously approved rates from a prior year until a new one is approved. Actuarial best practices dictate that it is not appropriate to pay actuarial rates developed for a prior time period because there may be material differences in trend rates, covered benefits, provider reimbursement, and covered populations. Instead, it is optimal to use rates specifically developed for the applicable time limit even if CMS has not approved the rates. By using this approach, the agency ensures that it is paying MCO’s and PASSE’s capitation rates developed to be consistent with their financial responsibilities. Continued adherence to this practice is necessary as CMS consistently approves rates well after the beginning of the contract year. While CMS approval is beyond the agency’s control, agency controls and contracts have been updated to ensure rates and contracts are submitted 90 days prior to the start of the contract year.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA agrees that the actuary was provided with the audited financials. However, 42 CFR § 438.5(c)(1), states that the audited financial reports are to be those as defined at 42 CFR § 438.3(m), which those provided were not. See finding 2023-023 for further details.
ALA agrees that continuing to pay rates from a prior year until a new one is approved is also not appropriate. As a MCO plan, PASSE contracts and rates must receive prior CMS approval. No documentation was provided to show that this was obtained for calendar years 2022 and 2023.
Finally, although the timeliness of receiving CMS approval is ultimately beyond the agency’s control, 42 CFR § 438.3(a) indicates that proposed final contracts must be submitted to CMS for review no later than 90 days prior to the effective date of the contract. As noted above, based upon documentation provided, the initial calendar year 2022 rates were submitted to CMS for approval on January 7, 2022, and the initial calendar year 2023 rates were submitted to CMS for approval on November 28, 2022.
Finding Number: 2023-020
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-023.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
Also, 42 CFR 435.945(d), states that all Medicaid state eligibility determination systems must conduct data matching through the Public Assistance Reporting Information System (PARIS).
Condition and Context:
PARIS is a data matching service that identifies recipients of public assistance who receive duplicate benefits in two or more states, in order to help detect improper payments. This system is administered by the Office of the Administration for Children and Families (ACF) within the U.S. Department of Health and Human Services.
ALA selected two quarters from state fiscal year 2023 for review to ensure that the Agency participated in the interstate PARIS match and to determine that adequate supporting documentation was available to demonstrate that the Agency adequately reviewed identified matches and determined whether those recipients were currently residing in Arkansas and, therefore, properly received benefits under the Arkansas Medicaid or CHIP programs.
ALA review confirmed that the Agency participated in the PARIS match for the two quarters selected for testing (i.e., November 2022 and May 2023).
ALA then selected a sample of 20 recipients (10 recipient cases from each selected quarterly report) that were flagged as receiving Medicaid or CHIP benefits in Arkansas and another state to determine if those cases were reviewed. ALA testing of PARIS match results revealed one recipient with an open Medicaid case in both Arkansas and another state. The match was based on the recipient’s name, date of birth, and social security number. Information related to this match was not uploaded to the ARIES eligibility system because of a system coding issue; therefore, the recipient’s case was not reviewed to determine if the recipient met the residency requirement.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The ARIES system logic excluded PARIS match results from being uploaded into the system when any address line field was left blank. For example, if “Address line 1” on the PARIS match report was empty, system logic did not consider information recorded on “Address line 2,” which could confirm the recipient’s out of state address. According to the Division of County Operations (DCO), PARIS matching system logic within ARIES will need to be adjusted to ensure these types of cases are identified in the future.
Effect:
Failure to review the PARIS interstate matches could result in the Agency not identifying individuals who are no longer residents of Arkansas and, as a result, are ineligible to receive benefits under the Arkansas Medicaid or CHIP programs. Improper payments could be made on behalf of ineligible recipients.
Recommendation:
ALA staff recommend the Agency develop system controls in ARIES to ensure that all PARIS interstate match data received by the State is used when determining whether Medicaid benefits are dually active in Arkansas and another state. This will ensure the recipients qualify for continued eligibility coverage.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. ARIES system logic has been updated to consider all information recorded in the PARIS match reports when identifying cases for review.
Anticipated Completion Date: Complete
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-020
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-023.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
Also, 42 CFR 435.945(d), states that all Medicaid state eligibility determination systems must conduct data matching through the Public Assistance Reporting Information System (PARIS).
Condition and Context:
PARIS is a data matching service that identifies recipients of public assistance who receive duplicate benefits in two or more states, in order to help detect improper payments. This system is administered by the Office of the Administration for Children and Families (ACF) within the U.S. Department of Health and Human Services.
ALA selected two quarters from state fiscal year 2023 for review to ensure that the Agency participated in the interstate PARIS match and to determine that adequate supporting documentation was available to demonstrate that the Agency adequately reviewed identified matches and determined whether those recipients were currently residing in Arkansas and, therefore, properly received benefits under the Arkansas Medicaid or CHIP programs.
ALA review confirmed that the Agency participated in the PARIS match for the two quarters selected for testing (i.e., November 2022 and May 2023).
ALA then selected a sample of 20 recipients (10 recipient cases from each selected quarterly report) that were flagged as receiving Medicaid or CHIP benefits in Arkansas and another state to determine if those cases were reviewed. ALA testing of PARIS match results revealed one recipient with an open Medicaid case in both Arkansas and another state. The match was based on the recipient’s name, date of birth, and social security number. Information related to this match was not uploaded to the ARIES eligibility system because of a system coding issue; therefore, the recipient’s case was not reviewed to determine if the recipient met the residency requirement.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The ARIES system logic excluded PARIS match results from being uploaded into the system when any address line field was left blank. For example, if “Address line 1” on the PARIS match report was empty, system logic did not consider information recorded on “Address line 2,” which could confirm the recipient’s out of state address. According to the Division of County Operations (DCO), PARIS matching system logic within ARIES will need to be adjusted to ensure these types of cases are identified in the future.
Effect:
Failure to review the PARIS interstate matches could result in the Agency not identifying individuals who are no longer residents of Arkansas and, as a result, are ineligible to receive benefits under the Arkansas Medicaid or CHIP programs. Improper payments could be made on behalf of ineligible recipients.
Recommendation:
ALA staff recommend the Agency develop system controls in ARIES to ensure that all PARIS interstate match data received by the State is used when determining whether Medicaid benefits are dually active in Arkansas and another state. This will ensure the recipients qualify for continued eligibility coverage.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. ARIES system logic has been updated to consider all information recorded in the PARIS match reports when identifying cases for review.
Anticipated Completion Date: Complete
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-021
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR3002
(Children’s Health Insurance Program)
05-2305AR5ADM; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year findings 2022-024.
Criteria:
In accordance with 45 CFR § 95.507(4), the Agency’s established Cost Allocation Plan is required to contain sufficient information in such detail to permit the Director – Division of Cost Allocation, after consulting with the Operating Divisions, to make an informed judgment on the correctness and fairness of the State’s procedures for identifying, measuring, and allocating all costs to each of the programs operated by the Agency.
42 CFR §§ 433.10 and 433.15 established rates to be used to calculate non-administrative and administrative state match and require that the state pay part of the costs for providing and administering the Medical Assistance Program (MAP) and the Children’s Health Insurance Program (CHIP).
Condition and Context:
Medicaid:
ALA selected seven days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the seven days selected totaled $41,444,396. Of this amount, ALA staff were able to confirm allowable funding sources for $17,699,441 but were unable to confirm allowable funding sources for the balance totaling $23,744,955.
CHIP:
ALA selected two days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the two days selected totaled $772,427. Of this amount, ALA staff were able to confirm allowable funding sources for $364,794 but unable to confirm allowable funding sources for the balance totaling $407,633.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
MAP - $23,744,955
CHIP - $407,633
Cause:
In response to prior-year findings, the Agency implemented new procedures to include AASIS coding detail in the Funds Management Ledger and in AASIS transfer entries to allow for improved monitoring of funding sources by program. However, the new procedures were not implemented until June 2023. Although ALA was able to perform testing and determine the new procedures were implemented, many funding sources, including both state general revenues and other non-federal revenue sources are transferred to paying funds immediately when they become available. As such, the Agency had not implemented the new procedures at the time the funds were initially transferred; therefore, these entries did not include the needed detail to determine the source of funds.
Cause (Continued):
ALA further noted, as stated in prior-year audit findings, the Agency utilizes a Lotus ledger system to monitor source of funds by AASIS fund. ALA reviewed reports from this system and identified many errors, including incorrect amounts, misclassified funding source, and discrepancies between prior-month ending balances and current-month beginning balances. Therefore, ALA determined the reports could not be relied upon to verify allowable source of funds.
Effect:
The Agency’s inadequate controls resulted in a failure to document the required state match and could limit the Agency’s resources to ensure the State can continue to provide benefits.
Recommendation:
ALA staff recommend the Agency continue to strengthen procedures and implement appropriate controls to allow the Agency to track funding sources used to meet state match requirements for federal programs.
Views of Responsible Officials and Planned Corrective Action:
DHS disputes this finding. All funds used as match for administrative and program expenditures were from an allowable funding source. The agency confirmed that the Arkansas Medicaid Program Trust Fund, which funds all bank accounts used for administrative and program expenditures for Medicaid and CHIP, is only funded with statutorily allowed revenues. The complex nature of Medicaid and CHIP finance and frequency of transactions necessitates paying accounts be sufficiently funded to pay all costs associated with administering the programs. This often results in accounts carrying a fund balance that does not require the agency to draw down additional state general revenue or other non-federal funds to meet its state match obligation. While the agency disagrees that a dollar-for-dollar reconciliation of funding draws is the appropriate way to confirm program expenditures are from an allowable source, we continue to update our general ledger system to improve the ability to monitor state general revenues and other non-federal federal revenue sources used to match federal funding.
Anticipated Completion Date: Complete
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer
Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Additional Comments from the Auditor:
As noted in prior year findings related to state matching requirements, the Agency does not maintain documentation identifying the original source of revenues for the category “other non-federal.” Additionally, the Arkansas Administrative Statewide Information System (AASIS) does not include functionality to identify the revenue source for monies previously transferred to the AASIS paying funds; therefore, the Agency utilizes an outside accounting system, Lotus 1-2-3, to maintain and trace federal revenue, state general revenue and other non-federal funds available. ALA further notes Agency staff manually key information into this system daily; however, no reviews or other controls are in place to ensure the accuracy of the funding category balances. ALA review of the June 2023 reports from the Lotus system revealed multiple errors as identified in the “Cause” section of the finding above. ALA also performed a review of division level monitoring of revenue sources. Per this review, the Agency’s monitoring procedures are performed at the division level and are not broken out to the federal program level. Therefore, ALA was unable to verify the funds used to the meet the State matching requirements were from an appropriate funding source.
Finding Number: 2023-021
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR3002
(Children’s Health Insurance Program)
05-2305AR5ADM; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Matching, Level of Effort, Earmarking
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year findings 2022-024.
Criteria:
In accordance with 45 CFR § 95.507(4), the Agency’s established Cost Allocation Plan is required to contain sufficient information in such detail to permit the Director – Division of Cost Allocation, after consulting with the Operating Divisions, to make an informed judgment on the correctness and fairness of the State’s procedures for identifying, measuring, and allocating all costs to each of the programs operated by the Agency.
42 CFR §§ 433.10 and 433.15 established rates to be used to calculate non-administrative and administrative state match and require that the state pay part of the costs for providing and administering the Medical Assistance Program (MAP) and the Children’s Health Insurance Program (CHIP).
Condition and Context:
Medicaid:
ALA selected seven days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the seven days selected totaled $41,444,396. Of this amount, ALA staff were able to confirm allowable funding sources for $17,699,441 but were unable to confirm allowable funding sources for the balance totaling $23,744,955.
CHIP:
ALA selected two days from June 2023 to determine if the funds used as match for administrative and program expenditures for those days were from an allowable funding source. The match required from the two days selected totaled $772,427. Of this amount, ALA staff were able to confirm allowable funding sources for $364,794 but unable to confirm allowable funding sources for the balance totaling $407,633.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
MAP - $23,744,955
CHIP - $407,633
Cause:
In response to prior-year findings, the Agency implemented new procedures to include AASIS coding detail in the Funds Management Ledger and in AASIS transfer entries to allow for improved monitoring of funding sources by program. However, the new procedures were not implemented until June 2023. Although ALA was able to perform testing and determine the new procedures were implemented, many funding sources, including both state general revenues and other non-federal revenue sources are transferred to paying funds immediately when they become available. As such, the Agency had not implemented the new procedures at the time the funds were initially transferred; therefore, these entries did not include the needed detail to determine the source of funds.
Cause (Continued):
ALA further noted, as stated in prior-year audit findings, the Agency utilizes a Lotus ledger system to monitor source of funds by AASIS fund. ALA reviewed reports from this system and identified many errors, including incorrect amounts, misclassified funding source, and discrepancies between prior-month ending balances and current-month beginning balances. Therefore, ALA determined the reports could not be relied upon to verify allowable source of funds.
Effect:
The Agency’s inadequate controls resulted in a failure to document the required state match and could limit the Agency’s resources to ensure the State can continue to provide benefits.
Recommendation:
ALA staff recommend the Agency continue to strengthen procedures and implement appropriate controls to allow the Agency to track funding sources used to meet state match requirements for federal programs.
Views of Responsible Officials and Planned Corrective Action:
DHS disputes this finding. All funds used as match for administrative and program expenditures were from an allowable funding source. The agency confirmed that the Arkansas Medicaid Program Trust Fund, which funds all bank accounts used for administrative and program expenditures for Medicaid and CHIP, is only funded with statutorily allowed revenues. The complex nature of Medicaid and CHIP finance and frequency of transactions necessitates paying accounts be sufficiently funded to pay all costs associated with administering the programs. This often results in accounts carrying a fund balance that does not require the agency to draw down additional state general revenue or other non-federal funds to meet its state match obligation. While the agency disagrees that a dollar-for-dollar reconciliation of funding draws is the appropriate way to confirm program expenditures are from an allowable source, we continue to update our general ledger system to improve the ability to monitor state general revenues and other non-federal federal revenue sources used to match federal funding.
Anticipated Completion Date: Complete
Contact Person: Misty Eubanks
Deputy Secretary for Operations and Budget and Interim Chief Financial Officer
Department of Human Services
P.O. Box 1437, Slot S201
Little Rock, AR 72203-1437
501-320-6327
Misty.Eubanks@dhs.arkansas.gov
Additional Comments from the Auditor:
As noted in prior year findings related to state matching requirements, the Agency does not maintain documentation identifying the original source of revenues for the category “other non-federal.” Additionally, the Arkansas Administrative Statewide Information System (AASIS) does not include functionality to identify the revenue source for monies previously transferred to the AASIS paying funds; therefore, the Agency utilizes an outside accounting system, Lotus 1-2-3, to maintain and trace federal revenue, state general revenue and other non-federal funds available. ALA further notes Agency staff manually key information into this system daily; however, no reviews or other controls are in place to ensure the accuracy of the funding category balances. ALA review of the June 2023 reports from the Lotus system revealed multiple errors as identified in the “Cause” section of the finding above. ALA also performed a review of division level monitoring of revenue sources. Per this review, the Agency’s monitoring procedures are performed at the division level and are not broken out to the federal program level. Therefore, ALA was unable to verify the funds used to the meet the State matching requirements were from an appropriate funding source.
Finding Number: 2023-022
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Reporting
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-033.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and terms and conditions of the award.
The Agency’s controls include the establishment of written procedures for identifying and properly reporting expenditures on the quarterly CMS-64 and CMS-21 reports. Established written procedures ensure the Agency can prepare reports accurately and timely in instances of system issues or staff changes.
Additionally, the Agency completes reconciliations of Total Medical Service Expenditures per CMS-64 and CMS-21 reports to the Quarterly Cost Allocation Reports. The reconciliations help to ensure that expenditures are accurately reported.
Finally, 42 CFR 430.30(c) requires submission of a quarterly CMS-64 for the Medical Assistance Program (MAP) no later than 30 days after the end of each quarter. Amounts reported on the CMS-64 must be an accurate and complete accounting of actual expenditures.
Condition and Context:
ALA reviewed written procedures for the CHIP and Medicaid reporting workbooks for the quarters ended September 30, 2022 and March 31, 2023. Reporting instructions were included for each workbook. However, the instructions had not been updated to cover all current items in the workbooks, making the control ineffective.
The Agency’s quarterly reconciliations of total reported expenditures to cost allocation reports for the quarters previously mentioned were also reviewed. ALA review revealed the Agency failed to identify and explain a significant portion of the noted variance between the Agency’s accounting system and reported expenditures for the quarter ended September 30, 2022.
The unexplained portion of the variance totaled $108.1 million (5.92% of total reported expenditures) for the Medicaid program and totaled $8.2 million (21.37% of total reported expenditures) for CHIP. Therefore, the reconciliation is not considered effective as the variances were not adequately explained.
Condition and Context (Continued):
Additionally, ALA staff performed testing of expenditures reported on the CMS-64 for the quarters ending September 30, 2022, and March 31, 2023, to confirm accuracy and completeness with the expenditures recorded in the Agency’s financial management system. ALA review revealed the following errors:
• From the September 30, 2022, CMS-64 report, 25 line items totaling $1,912,069,973 and representing 91.52% of MAP expenditures were selected. ALA identified uncorrected errors affecting three line items, resulting in a net understatement of the federal portion of expenditures totaling $87,676.
• From the March 31, 2023, CMS-64 report, 24 line items totaling $2,044,925,178 and representing 90.54% of MAP expenditures were selected. ALA identified uncorrected errors affecting two line items, resulting in a net overstatement of the federal portion of expenditures totaling $53,907.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $87,676
Overstated amount - $53,907
Cause:
The Agency did not adequately perform the implemented control activities to ensure they were operating effectively. In addition, the Agency failed to adequately review report line calculations for accuracy prior to submitting the quarterly reports
Effect:
The Agency’s control procedures to ensure quarterly reports are completed timely and accurately may not be effective in preventing, detecting, and correcting expenditure reporting errors.
Expenditure amounts reported on the CMS-64 were misstated for the MAP, resulting in the Agency claiming incorrect federal funding amounts for the expenditures.
Recommendation:
ALA staff recommend the Agency update reporting instructions for CHIP and Medicaid workbooks to ensure reports are prepared timely and accurately. ALA further recommends the Agency ensure any large variances have an explanation when reconciling reported amounts to cost allocation to ensure expenditures are correctly reported.
Additionally, ALA staff recommend the Agency perform a thorough review of report calculations for accuracy prior to submitting the quarterly reports; review and verify the accuracy of the supporting documentation for all manual adjustments; and correct identified errors by entering prior period adjustments on subsequent CMS-64 reports.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will update its written reporting instructions for Medicaid and CHIP to cover all items in the report workbooks. After the conclusion of the audit testing, the agency confirmed that the noted variance between the agency’s accounting system and reported expenditures for the quarter ended September 30, 2022, was below the 5% threshold which requires an explanation to be provided to CMS financial analysts. The agency has reassigned resources to the Medicaid reporting section which will allow for additional time to spend researching variances identified in quarterly reconciliations. The agency also confirmed that the understatement of the federal portion of the September 30, 2022, CMS-64 report was $10,582, and the overstatement of the federal portion of the of the March 31, 2023, CMS-64 report was $30,664. The agency will correct these errors through an adjustment on an upcoming submission of the CMS-64 report.
Anticipated Completion Date: 7/31/2024
Contact Person: Jason Callan
Medicaid Chief Financial Officer
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-320-6540
Jason.Callan@dhs.arkansas.gov
Finding Number: 2023-022
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Reporting
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-033.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and terms and conditions of the award.
The Agency’s controls include the establishment of written procedures for identifying and properly reporting expenditures on the quarterly CMS-64 and CMS-21 reports. Established written procedures ensure the Agency can prepare reports accurately and timely in instances of system issues or staff changes.
Additionally, the Agency completes reconciliations of Total Medical Service Expenditures per CMS-64 and CMS-21 reports to the Quarterly Cost Allocation Reports. The reconciliations help to ensure that expenditures are accurately reported.
Finally, 42 CFR 430.30(c) requires submission of a quarterly CMS-64 for the Medical Assistance Program (MAP) no later than 30 days after the end of each quarter. Amounts reported on the CMS-64 must be an accurate and complete accounting of actual expenditures.
Condition and Context:
ALA reviewed written procedures for the CHIP and Medicaid reporting workbooks for the quarters ended September 30, 2022 and March 31, 2023. Reporting instructions were included for each workbook. However, the instructions had not been updated to cover all current items in the workbooks, making the control ineffective.
The Agency’s quarterly reconciliations of total reported expenditures to cost allocation reports for the quarters previously mentioned were also reviewed. ALA review revealed the Agency failed to identify and explain a significant portion of the noted variance between the Agency’s accounting system and reported expenditures for the quarter ended September 30, 2022.
The unexplained portion of the variance totaled $108.1 million (5.92% of total reported expenditures) for the Medicaid program and totaled $8.2 million (21.37% of total reported expenditures) for CHIP. Therefore, the reconciliation is not considered effective as the variances were not adequately explained.
Condition and Context (Continued):
Additionally, ALA staff performed testing of expenditures reported on the CMS-64 for the quarters ending September 30, 2022, and March 31, 2023, to confirm accuracy and completeness with the expenditures recorded in the Agency’s financial management system. ALA review revealed the following errors:
• From the September 30, 2022, CMS-64 report, 25 line items totaling $1,912,069,973 and representing 91.52% of MAP expenditures were selected. ALA identified uncorrected errors affecting three line items, resulting in a net understatement of the federal portion of expenditures totaling $87,676.
• From the March 31, 2023, CMS-64 report, 24 line items totaling $2,044,925,178 and representing 90.54% of MAP expenditures were selected. ALA identified uncorrected errors affecting two line items, resulting in a net overstatement of the federal portion of expenditures totaling $53,907.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Understated amount - $87,676
Overstated amount - $53,907
Cause:
The Agency did not adequately perform the implemented control activities to ensure they were operating effectively. In addition, the Agency failed to adequately review report line calculations for accuracy prior to submitting the quarterly reports
Effect:
The Agency’s control procedures to ensure quarterly reports are completed timely and accurately may not be effective in preventing, detecting, and correcting expenditure reporting errors.
Expenditure amounts reported on the CMS-64 were misstated for the MAP, resulting in the Agency claiming incorrect federal funding amounts for the expenditures.
Recommendation:
ALA staff recommend the Agency update reporting instructions for CHIP and Medicaid workbooks to ensure reports are prepared timely and accurately. ALA further recommends the Agency ensure any large variances have an explanation when reconciling reported amounts to cost allocation to ensure expenditures are correctly reported.
Additionally, ALA staff recommend the Agency perform a thorough review of report calculations for accuracy prior to submitting the quarterly reports; review and verify the accuracy of the supporting documentation for all manual adjustments; and correct identified errors by entering prior period adjustments on subsequent CMS-64 reports.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will update its written reporting instructions for Medicaid and CHIP to cover all items in the report workbooks. After the conclusion of the audit testing, the agency confirmed that the noted variance between the agency’s accounting system and reported expenditures for the quarter ended September 30, 2022, was below the 5% threshold which requires an explanation to be provided to CMS financial analysts. The agency has reassigned resources to the Medicaid reporting section which will allow for additional time to spend researching variances identified in quarterly reconciliations. The agency also confirmed that the understatement of the federal portion of the September 30, 2022, CMS-64 report was $10,582, and the overstatement of the federal portion of the of the March 31, 2023, CMS-64 report was $30,664. The agency will correct these errors through an adjustment on an upcoming submission of the CMS-64 report.
Anticipated Completion Date: 7/31/2024
Contact Person: Jason Callan
Medicaid Chief Financial Officer
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-320-6540
Jason.Callan@dhs.arkansas.gov
Finding Number: 2023-023
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Managed Care Financial Audits (PASSE and Dental)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-025.
Criteria:
45 CFR § 75.303 states that a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. These controls should be in compliance with Green Book or COSO guidance.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
In addition, 42 CFR § 438.3 (m) states that managed care contracts must require Managed Care Organizations (MCOs), Prepaid Inpatient Health Plans (PIHPs), and Prepaid Ambulatory Health Plans (PAHPs) to annually submit audited financial reports that are conducted in accordance with generally accepted accounting principles and generally accepted auditing standards specific to the Medicaid contract.
Condition and Context:
ALA performed testing to determine if there was sufficient, adequate language in the managed care contracts and agreements for Provider-Led Arkansas Shares Savings Entity (PASSE) and Dental Managed Care regarding audited financial reports. ALA review revealed that adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Although the Agency has taken steps to update the contract to include this language, as of fieldwork performed in September 2023, the contracts still had not been formally updated.
In addition, ALA performed testing to ensure that the annual audited financial reports were performed for the applicable managed care program entities and that the reports were in compliance with federal regulations.
Four MCOs participated in the PASSE managed care program, and two dental managed care entities participated in the Dental Managed Care program during calendar year 2022. These entities would have been required to submit audited financial reports.
The results of ALA testing revealed that although audited financial reports were provided by all PASSE and dental managed care entities, all four PASSE entities’ reports and both dental managed care entities’ reports were not in accordance with generally accepted accounting principles. In addition, the audits for the two dental managed care entities were not specific to the Medicaid contract.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not adequately develop control procedures for its staff to ensure that adequate language was contained in the Dental Managed Care contract regarding audited financial reports. In addition, the Agency did not adequately monitor the submission of reports to ensure they complied with federal regulations.
Effect:
Failure to implement appropriate procedures for internal control limits the Agency’s ability to adequately monitor the programs for possible noncompliance. In addition, failure to monitor the adequacy of the reports submitted led to the Agency not identifying that the reports received did not comply with federal regulations.
Recommendation:
ALA staff recommend the Agency update the language in the Dental Managed Care contract to require audited financial reports, in accordance with 42 CFR § § 438.3(m). In addition, the Agency should strengthen monitoring controls to ensure that all reports received are in compliance with requirements included in the federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, the finding. DHS has submitted and received approval from CMS for changes to the Dental Managed Care contract that requires the completion of annual audited financial reports. The agency disagrees that the audited financial reports submitted by the PASSE and Dental Managed Care Organizations (DMO) do not comply with 42 CFR 438.3(M). CMS guidance pertaining to that regulation provides that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. The Arkansas Insurance Department also requires insurers to submit annual audited financial statements. Ark. Code Ann. 23-61-108 requires PASSE’s and DMO’s to follow the National Association of Insurance Commissioners Accounting Practices and Procedures Manual. DHS interprets 42 CFR 438.3(M) and its related guidance to permit the State Medicaid Agency flexibility to adopt the same accounting principles as the State Insurance Agency. As a practical matter, DHS reviewed the use of the audited financial statements and the information necessary to be contained within those statements. DMS discussed the use of the audited financial statements with the External Quality Review Organization (EQRO) that performs our External Quality Review. The EQRO confirmed that audited financial statements that complied with the Arkansas statutory basis would be satisfactory for review purposes.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA cannot confirm the specific CMS guidance that the Agency is referring to as it was not provided to auditors during fieldwork. However, auditors did discuss a particular question and answer, item 10, included in the CMS Medicaid and CHIP Managed Care Final Rule (CMS-2390-F) Frequently Asked Questions (FAQs) dated November 10, 2016, with the Agency. This item indicates that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. During SFY23, the PASSE agreements (section 11.1.9) required that the audited financials be in accordance with GAAP and GAAS. As noted above, ALA review revealed that during SFY23, adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Auditors agree that once the terms of the PASSE and Dental contracts are updated to require that audited financials be on the statutory basis, that there will no longer be non-compliance noted related to the financials not being in accordance with GAAP. However, regardless of the specific basis, 42 CFR § 438.3(m) still requires that financials be specific to the Medicaid contract.
Finding Number: 2023-023
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
(Children’s Health Insurance Program)
05-2205AR5MAP; 05-2305AR5MAP
(Medicaid Cluster)
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Managed Care Financial Audits (PASSE and Dental)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-025.
Criteria:
45 CFR § 75.303 states that a non-federal entity must:
• Establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award. These controls should be in compliance with Green Book or COSO guidance.
• Evaluate and monitor its compliance with the award.
• Take prompt action when instances of noncompliance are identified, including noncompliance identified in audit findings.
In addition, 42 CFR § 438.3 (m) states that managed care contracts must require Managed Care Organizations (MCOs), Prepaid Inpatient Health Plans (PIHPs), and Prepaid Ambulatory Health Plans (PAHPs) to annually submit audited financial reports that are conducted in accordance with generally accepted accounting principles and generally accepted auditing standards specific to the Medicaid contract.
Condition and Context:
ALA performed testing to determine if there was sufficient, adequate language in the managed care contracts and agreements for Provider-Led Arkansas Shares Savings Entity (PASSE) and Dental Managed Care regarding audited financial reports. ALA review revealed that adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Although the Agency has taken steps to update the contract to include this language, as of fieldwork performed in September 2023, the contracts still had not been formally updated.
In addition, ALA performed testing to ensure that the annual audited financial reports were performed for the applicable managed care program entities and that the reports were in compliance with federal regulations.
Four MCOs participated in the PASSE managed care program, and two dental managed care entities participated in the Dental Managed Care program during calendar year 2022. These entities would have been required to submit audited financial reports.
The results of ALA testing revealed that although audited financial reports were provided by all PASSE and dental managed care entities, all four PASSE entities’ reports and both dental managed care entities’ reports were not in accordance with generally accepted accounting principles. In addition, the audits for the two dental managed care entities were not specific to the Medicaid contract.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not adequately develop control procedures for its staff to ensure that adequate language was contained in the Dental Managed Care contract regarding audited financial reports. In addition, the Agency did not adequately monitor the submission of reports to ensure they complied with federal regulations.
Effect:
Failure to implement appropriate procedures for internal control limits the Agency’s ability to adequately monitor the programs for possible noncompliance. In addition, failure to monitor the adequacy of the reports submitted led to the Agency not identifying that the reports received did not comply with federal regulations.
Recommendation:
ALA staff recommend the Agency update the language in the Dental Managed Care contract to require audited financial reports, in accordance with 42 CFR § § 438.3(m). In addition, the Agency should strengthen monitoring controls to ensure that all reports received are in compliance with requirements included in the federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, the finding. DHS has submitted and received approval from CMS for changes to the Dental Managed Care contract that requires the completion of annual audited financial reports. The agency disagrees that the audited financial reports submitted by the PASSE and Dental Managed Care Organizations (DMO) do not comply with 42 CFR 438.3(M). CMS guidance pertaining to that regulation provides that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. The Arkansas Insurance Department also requires insurers to submit annual audited financial statements. Ark. Code Ann. 23-61-108 requires PASSE’s and DMO’s to follow the National Association of Insurance Commissioners Accounting Practices and Procedures Manual. DHS interprets 42 CFR 438.3(M) and its related guidance to permit the State Medicaid Agency flexibility to adopt the same accounting principles as the State Insurance Agency. As a practical matter, DHS reviewed the use of the audited financial statements and the information necessary to be contained within those statements. DMS discussed the use of the audited financial statements with the External Quality Review Organization (EQRO) that performs our External Quality Review. The EQRO confirmed that audited financial statements that complied with the Arkansas statutory basis would be satisfactory for review purposes.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
ALA cannot confirm the specific CMS guidance that the Agency is referring to as it was not provided to auditors during fieldwork. However, auditors did discuss a particular question and answer, item 10, included in the CMS Medicaid and CHIP Managed Care Final Rule (CMS-2390-F) Frequently Asked Questions (FAQs) dated November 10, 2016, with the Agency. This item indicates that states have the flexibility to specify the applicable generally accepted accounting and auditing principles for the audited financial reports in the managed care plan contracts. During SFY23, the PASSE agreements (section 11.1.9) required that the audited financials be in accordance with GAAP and GAAS. As noted above, ALA review revealed that during SFY23, adequate language was not included in the Dental Managed Care contracts requiring that the annual financial audit be performed. Auditors agree that once the terms of the PASSE and Dental contracts are updated to require that audited financials be on the statutory basis, that there will no longer be non-compliance noted related to the financials not being in accordance with GAAP. However, regardless of the specific basis, 42 CFR § 438.3(m) still requires that financials be specific to the Medicaid contract.
Finding Number: 2023-024
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021
Federal Award Year(s): 2022
Compliance Requirement(s) Affected: Activities Allowed or Unallowed –
Managed Care (PASSE)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-027.
Criteria:
The Provider-Led Arkansas Shared Savings Entity (PASSE) program transitioned to a full-risk Managed Care Organization (MCO) model on March 1, 2019. The program covers services for behavioral health (BH) recipients and developmentally disabled (DD) recipients. To receive services through PASSE, an individual must have an independent assessment (IA) performed that designates him or her at the appropriate level of need to participate in the program.
The § 1915(c) Home and Community-Based Services Waiver, applicable to the DD population, requires that an IA be performed at least every three years. Appendix K flexibilities were granted by which an additional 12-month extension was allowed for the IAs effective beginning March 12, 2020. This flexibility ended six months after the end of the public health emergency (PHE). As the PHE ended on May 11, 2023, flexibilities ended on November 11, 2023.
§ 1915(i) of the Social Security Act, applicable to the BH population, which provides states the option to offer home and community-based services through the state’s plan, requires that an IA be performed at least every 12 months. In addition, 42 CFR § 441.720(b) states that for reassessments, the IA of need must be conducted at least every 12 months and as needed when the individual’s support needs or circumstances change significantly, in order to revise the service plan. Section 1135 flexibilities were granted by which an additional 12-month extension was allowed for the IAs effective beginning March 17, 2020. This flexibility ended when the PHE ended on May 11, 2023.
Condition and Context:
ALA selected 40 PASSE recipients (all BH recipients) to determine if the following attributes had been met:
• An open eligibility segment for the recipient during the dates of service.
• A valid IA on file in effect for the dates of service.
• Appropriate amount paid in accordance with the actuarially determined rates.
• No disallowed fee-for-service claims paid for a recipient already covered by PASSE
ALA review revealed an exception affecting payments for five BH recipients as detailed below:
Sample item 3: The IA expired on March 29, 2022, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from July 1, 2022 through March 31, 2023. Questioned costs totaled $7,806.
Sample item 6: The IA expired on May 22, 2021, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from July 1, 2022 through June 30, 2023. Questioned costs totaled $4,315.
Sample item 10: The IA expired on May 9, 2023, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from May 10, 2023 through June 30, 2023. Questioned costs totaled $1,594.
Sample item 12: The IA expired on June 23, 2021, and no other IA was completed prior to June 30, 2023. Payments for this recipient were made for dates of service from July 1, 2022 through June 30, 2023. Questioned costs totaled $13,247.
Condition and Context (Continued):
Sample item 27: The IA dated August 4, 2022, indicated a level of need designation that did not support the services provided. Payments for this recipient continued for dates of service from August 4, 2022 through April 10, 2023. Questioned costs totaled $8,334.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$35,296
Cause:
The Agency did not adequately monitor IAs to ensure they were completed timely. In addition, although ARKids B recipients could have been removed from the benefit rolls and services discontinued, the Agency treated them as though they were subject to the continuous coverage requirements of the Families First Coronavirus Response Act (FFCRA), which was applicable to all Medicaid and Medicaid expansion recipients. ARKids B recipients are not considered Medicaid or Medicaid expansion recipients. All deficiencies above relate to payments coded to ARKids B recipients.
Effect:
Gaps were revealed in performance of the required IAs and need level designations included on IAs did not support the services provided. As a result, payments were made outside the approved/updated dates of service.
Recommendation:
ALA staff recommend the Agency review and strengthen its independent assessment procedures to ensure they are completed timely, support the services provided, and are in accordance with federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with this finding. As the Public Health Emergency has concluded, the agency has returned to normal operations which requires disenrollment of any PASSE member that has not received an independent assessment within the last 12 months.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Finding Number: 2023-025
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-028.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
The Agency is responsible for determining if Children’s Health Insurance Program (CHIP) recipients meet the eligibility criteria as specified in its approved State Plan. Eligibility requirements for CHIP are outlined in the Arkansas Medical Services Manual. The Manual contains specific CHIP policies and procedures and is in addition to the approved State Plan.
The State’s ARKids First program includes three separate recipient aid categories under which children receive benefits. Placement in these categories is determined based on monthly household income and a Federal Poverty Level (FPL) percentage.
1. ARKids A (Medicaid) is funded through the Medical Assistance Program grant and provides coverage as follows:
• Children under the age of 6 with household income up to 142% of the FPL.
• Children aged 6 - 18 with household income up to 100% of the FPL.
2. ARKids A (MCHIP) is funded through the CHIP grant in accordance with the Affordable Care Act and provides coverage to children aged 6 - 18 with household income over 100% of the FPL up to 142% of the FPL.
3. ARKids B is funded through the CHIP grant and provides coverage to children up to the age of 19 with household incomes from 142% of the FPL up to 211% of the FPL. Once determined eligible, recipients remain eligible for a 12-month period, regardless of changes in household income.
Additionally, Section 6008 of the Families First Coronavirus Response Act (FFCRA) allowed for a temporary Federal Medical Assistance Percentage (FMAP) increase during the public health emergency (PHE). In accordance with FFCRA, a state is not eligible for the temporary FMAP increase if the state reduces the medical assistance for which the beneficiary is eligible for beneficiaries who were enrolled as of March 18, 2020, or become enrolled after that date but no later than the last day of the month in which the emergency period ends.
Condition and Context:
The State received approval for a CHIP PHE state plan amendment that became effective on March 18, 2020. The amendment allowed certain eligibility requirements to be waived through the duration of the PHE and included the following:
• Waived requirements related to timely processing of applications and renewals.
• Delayed processing of renewals and extended deadlines for families to respond to renewal requests.
Condition and Context (Continued):
• Delayed action on closure for certain changes in circumstances for CHIP beneficiaries. However, the following circumstances for closure will be allowed during the PHE:
Recipient ceases to be a resident of the state
Voluntary closure.
Eligibility due to fraud, abuse or perjury, or death.
• Waived co-payments for COVID-19 testing and treatment for the duration of the PHE.
Additionally, CMS guidance states that when information is received and processed regarding an enrollee and the state determines the enrollee ineligible for CHIP, the state is required to process the termination and transfer the individual to Medicaid or the Exchange. The guidance further states that PHE state plan amendments do not grant the state authority to extend eligibility periods for those determined ineligible for coverage under CHIP, which would include the ARKids B and Unborn Children programs.
In December 2022, the federal Consolidated Appropriations Act of 2023 gave states the authority to begin the process of re-determining eligibility for Medicaid enrollees kept on Medicaid rolls due to the continuous coverage requirement beginning April 1, 2023, and to reinstate routine eligibility operations. States have 12 months to initiate renewals and an additional two months to complete the process.
ALA selected 60 active CHIP recipient identification numbers to determine if PHE rules were followed when re-determination of benefits was made. ALA reviewed revealed the following deficiencies:
• The Agency failed to move two recipients from ARKids B to ARKids A – Medicaid when household income and size qualified the recipients for ARKids A – Medicaid. Claims incorrectly paid from CHIP totaled $11,470 (federal portion - $9,676).
• The Agency improperly extended benefits past the allowed 60 day post-partum period for one recipient enrolled in the Unborn Children aid category due to the PHE. Claims incorrectly paid from CHIP totaled $23 (federal portion – $19)
• The Agency improperly moved one recipient from ARKids A - Medicaid to ARKids B based on a change of income. As this change would result in a reduction in services provided to the recipient, it was inconsistent with the requirements of section 6008(b)(3) of the FFCRA. Claims incorrectly paid from CHIP totaled $336 (federal portion - $283).
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$9,978
Cause:
Errors in the Arkansas Integrated Eligibility System (ARIES) system resulted in improper eligibility determinations. Additionally, discussion with Agency personnel indicated that top-level Agency management chose to continue allowing the ARKids B eligibility segments to remain open, even though information was provided that should have resulted in an ineligible determination. This is in direct conflict with CMS guidance issued on January 6, 2021, clarifying that ARKids B cases MUST be closed once deemed ineligible.
Effect:
Expenditures were not accurately reported to the federal awarding agency, were not paid from the appropriate grant award, and were not funded at the appropriate federal rate.
Recommendation:
ALA staff recommend the Agency design and implement internal controls over compliance to ensure that recipients are placed in the appropriate recipient aid category.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency is conducting an ARIES system review to determine the root cause of the incorrect eligibility determinations and will identify and implement any needed updates to the automatic renewal process.
Anticipated Completion Date: 4/30/2024
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-026
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR3002
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions -
Provider Eligibility (Fee-for-Service)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-029.
Criteria:
According to section 140.000, Provider Participation, any provider of health services must be enrolled in the Arkansas Medicaid Program prior to reimbursement for any services provided to Arkansas Medicaid beneficiaries. Enrollment is considered complete when a provider has signed and submitted the following forms:
• Application.
• W-9 tax form.
• Medicaid provider contract.
• PCP agreement, if applicable.
• EPSDT agreement, if applicable.
• Change in ownership control or conviction of crime form.
• Disclosure of significant business transactions form.
• Specific license or certification based on provider type and specialty, if applicable.
• Participation in the Medicare program, if applicable.
42 CFR § 455.414 (effective March 25, 2011, with an extended deadline of September 25, 2016, for full compliance) states that the State Medicaid Agency must revalidate the enrollment of all providers at least every five years. Revalidation includes a new application; satisfactory completion of screening activities; and if applicable, fee payment. Screening activities vary depending on the risk category of the provider as follows:
• The limited-risk category includes database checks.
• The moderate-risk category includes those required for limited plus site visits.
• The high-risk category includes those required for moderate plus fingerprint background checks.
Condition and Context:
From a population of 5,984 providers, ALA staff reviewed files of 40 providers to ensure sufficient, appropriate evidence was provided to support the determination of eligibility, including compliance with revalidation requirements. ALA review revealed deficiencies with two of the provider files as follows:
Moderate-risk category:
Sample item 28: The provider’s revalidation was due by May 23, 2023, but was not performed. In addition, the Agency did not perform the additional screening requirement (site visit). Questioned costs totaled $801.
Limited-risk category:
Sample item 36: The provider’s revalidation was due by June 12, 2023, but was not performed. Questioned costs totaled $503.
Condition and Context (Continued):
NOTE: Because of the Coronavirus pandemic, the Centers for Medicare and Medicaid Services (CMS), under section 1135(b)(1)(B) of the Social Security Act, approved Arkansas’s request to temporarily cease revalidation, including screening requirements of providers located in Arkansas or otherwise directly impacted by the emergency. This was effective as of March 1, 2020, and continued through the expiration of the Public Health Emergency (PHE) on May 11, 2023. State agencies were given six additional months to complete revalidations that were due during the PHE.
The deficiencies noted above were due subsequent to May 11, 2023.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$1,304
(Known questioned costs greater than $25,000 for a type of compliance requirement are required to be reported. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned [likely questioned costs], not just the questioned costs specifically identified. The auditor must also report known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.)
Cause:
The Agency had asserted that, effective May 31, 2019, it established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider enrollment application documents, provider revalidation, site visits, and fingerprint background requirements. Although testing results support that improvements have been made since the new procedures were implemented, deficiencies continued to exist during state fiscal year 2023.
Effect:
Claims were processed and paid to providers that did not meet all the required elements and, therefore, were ineligible.
Recommendation:
ALA staff recommend the Agency review and strengthen controls to ensure that revalidations are performed timely and that required enrollment documentation is maintained to support provider eligibility.
Views of Responsible Officials and Planned Corrective Action:
DHS disputes the finding. The revalidation date for the provider noted in sample item 28 was 7/20/2022. Per CMS guidance, revalidations, site visits, and fingerprint background checks were paused during the COVID Public Health Emergency (PHE) (3/1/2020-5/11/2023) and states were given until 11/11/2023 to complete revalidations due during the PHE. As this provider’s revalidation and site visit were completed on 10/12/2023, the agency is in compliance with all provider revalidation requirements.
Based on research conducted by DMS, the provider noted in sample item 36 was not enrolled until 9/16/2018. Therefore, the revalidation date for this provider is 9/16/2023 as opposed to 6/12/2023 and there would be no questioned cost for the audit period.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
Deficiencies are determined based on support provided by the Agency and reviewed by auditors during an iterative process performed during fieldwork. This includes any documentation supporting revalidation due dates. Auditors concluded based upon information provided.
Finding Number: 2023-027
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.767 – Children’s Health Insurance Program
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5021; 05-2305AR3002
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Provider Eligibility (Managed Care Organizations)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-030.
Criteria:
According to section 140.000, Provider Participation, any provider of health services must be enrolled in the Arkansas Medicaid Program prior to reimbursement for any services provided to Arkansas Medicaid beneficiaries. Managed Care Network providers must also be enrolled in the Arkansas Medicaid Program. Enrollment is considered complete when a provider has signed and submitted the following forms:
• Application.
• W-9 tax form.
• Medicaid provider contract.
• PCP agreement, if applicable.
• EPSDT agreement, if applicable.
• Change in ownership control or conviction of crime form.
• Disclosure of significant business transactions form.
• Specific license or certification based on provider type and specialty, if applicable.
• Participation in the Medicare program, if applicable.
42 CFR § 455.414 (effective March 25, 2011, with an extended deadline of September 25, 2016, for full compliance) states that the State Medicaid Agency must revalidate the enrollment of all providers at least every five years. Revalidation includes a new application; satisfactory completion of screening activities; and if applicable, fee payment. Screening activities vary depending on the risk category of the provider as follows:
• The limited-risk category includes database checks.
• The moderate-risk category includes those required for limited plus site visits.
• The high-risk category includes those required for moderate plus fingerprint background checks.
Condition and Context:
To determine if Managed Care Network providers met all necessary criteria to participate in the CHIP program, ALA staff selected 40 provider files from a population of 2,776 for review. The providers selected participated in the Dental managed care program, commonly referred to as Healthy Smiles, and the Provider-Led Arkansas Shares Savings Entity, or PASSE, managed care program. ALA review revealed deficiencies with four of the provider files as follows:
Limited-risk category:
Sample item 9: The provider failed to revalidate timely. Revalidation was due by September 25, 2016, but was not performed until July 7, 2023. Ineligible costs totaled $256.
Condition and Context (Continued):
Limited-risk category (Continued):
Sample item 19: The Agency did not provide documentation of the required W-9 that covered the entire enrollment period. The Agency has since obtained an updated W-9 effective October 5, 2023. Ineligible costs totaled $96.
Sample item 33: The Agency did not provide documentation of the provider’s licensure that covered the entire enrollment period. Ineligible costs totaled $2,006.
Sample item 37: The Agency did not provide documentation of the required application that covered the entire enrollment period. Ineligible costs totaled $3,416.
Total ineligible costs identified above totaled $5,774 for PASSE. There were no ineligible costs identified for Dental Managed Care.
NOTE: Because these providers are participating in the managed care portion of CHIP, providers are reimbursed by the managed care organizations, not the Agency. The managed care organizations receive a predetermined monthly payment from the Agency in exchange for assuming the risk for the covered recipients.
These monthly payments are actuarially determined based, in part, on historical costs data. Accordingly, the failure to remove unallowable cost data from the amounts utilized by the actuary would lead to overinflated future rates, which will be directly paid by the Agency.
In addition, because of the Coronavirus pandemic, the Centers for Medicare and Medicaid Services (CMS), under section 1135(b)(1)(B) of the Social Security Act, approved Arkansas’s request to temporarily cease revalidation, including screening requirements, of providers located in Arkansas or otherwise directly impacted by the emergency. This was effective as of March 1, 2020, and continued through the expiration of the Public Health Emergency (PHE), on May 11, 2023. State agencies were given six additional months to complete revalidations that were due during the PHE.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
Unknown
Cause:
The Agency asserted that, effective May 31, 2019, it established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider enrollment application documents, provider revalidation, site visits, and fingerprint background requirements. Although testing results support that improvements have been made since the new procedures were implemented, deficiencies continued to exist during fiscal year 2023.
Effect:
Claims were processed and paid to providers that did not meet all the required criteria.
Recommendation:
ALA staff recommend the Agency review and strengthen controls to ensure that revalidations are performed timely and that required enrollment documentation is maintained to support provider eligibility.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs, in part, and disputes, in part, the finding. Effective May 31, 2019, DMS established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider application documents, provider revalidation, site visits and fingerprint background requirements. The deficiency noted for the provider referenced in sample item 9 relates to non-compliance with site visit requirements pre-dating May 31, 2019, and CMS’s approval of the agency’s corrective action plan. Since CMS implemented 1135 waiver flexibilities during the Public Health Emergency (PHE), the provider was not terminated and was notified of the agency’s intent to revalidate their enrollment within six months of the end of the PHE. The provider successfully completed the revalidation process prior to the expiration of the 1135 waiver flexibilities.
The absence of enrollment documentation noted in sample items 19 and 37 can be attributed to transitions and document storage issues that occurred within the legacy MMIS system. Since the time of enrollment for these two providers, the agency has made multiple updates to the MMIS system to capture and retain enrollment documentation. The agency has obtained the required documentation noted as missing for both sample items. The deficiency noted in sample item 33 has been resolved as the agency has verified licensure of the provider covering the audit period.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Additional Comments from the Auditor:
As noted in the finding above, the deficiency for sample item #9 is based on the provider’s untimely revalidation, not the Agency’s failure to perform a site visit. A revalidation was due 09/25/2016, prior to the PHE and questioned costs are calculated after expiration of the 1135 PHE waiver for the period 5/12/23 through 06/30/23.
Finding Number: 2023-028
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5MAP; 05-2305AR5MAP
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-022.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
In addition, 42 CFR § 435.1009 states that federal financial participation (FFP) is not available for payments made on behalf of individuals who are inmates in public institutions, including eligible juveniles. To be considered an inmate of a public institution, a person must be living in an institution that is the responsibility of a governmental unit or over which a governmental unit exercises administrative control.
Finally, under section 1001 of the Substance Use Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act (SUPPORT Act), states are 1) prohibited from terminating the Medicaid eligibility of an “eligible juvenile” who becomes an inmate of a public institution, 2) required to process applications submitted by incarcerated youth, and 3) required to re-determine the Medicaid eligibility of eligible juveniles before their release from a public institution.
An eligible juvenile is defined as a “juvenile who is an inmate of a public institution and who (A) was determined eligible for medical assistance under the State plan immediately before becoming an inmate of such a public institution; or (B) is determined eligible for such medical assistance while an inmate of a public institution.”
In compliance with this requirement, Medical Services Manual section D-380 states that coverage for children entering the custody of the Division of Youth Services (DYS) will be placed in suspension status for up to 12 months from the initial approval or most recent renewal. When a child with suspended Medicaid eligibility receives eligible medical treatment off the grounds of the juvenile detention facility (inpatient services) or is released from custody, the child’s Medicaid case will be reinstated for a fixed eligibility period from the date of hospitalization to the date of hospital discharge. Once the child returns to the DYS state-run facility, the Medicaid case is re-suspended.
Condition and Context:
ALA staff selected 60 files for incarcerated juveniles to determine whether the State is properly suspending a juvenile’s benefit coverage when the juvenile is held in a public institution and then properly reinstating coverage when the juvenile is placed in non-public institutions or released from DYS custody. ALA’s review also included ensuring that benefit payments were not made for dates of service that fell within the juvenile’s incarceration period.
ALA review revealed the following deficiencies:
• The Agency failed to appropriately suspend Medicaid benefits for three juveniles in DYS custody. ALA also identified payments, totaling $8,860, made for dates of service within the incarceration period for two of these individuals. The federal portion of these payments totaled $6,836.
• Although the Agency appropriately suspended benefits for 23 juveniles, the payments, totaling $40,963, were made for dates of service within the incarceration period for these juveniles. The federal portion of the Medicaid payments totaled $30,621.
Condition and Context (Continued):
• Although the Agency appropriately suspended benefits for 4 of the 60 juveniles tested, the Agency failed to properly reinstate benefits after their incarceration ended. Additionally, the Agency paid claims, totaling $8,477, for dates of service within the incarceration period for these juveniles. The federal portion of these payments totaled $6,577.
• The Agency failed to appropriately suspend and reinstate benefits for 7 of the 60 selected juveniles. As a result, payments totaling $51,042 were made for dates of service within the incarceration period for these juveniles. The federal portion of these payments totaled $39,423.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$83,457
Cause:
The Agency failed to properly monitor Medicaid eligibility for juveniles in DYS custody. Suspensions of benefits were not always entered timely, were entered with incorrect effective dates, or were not entered into the system when an eligible juvenile was incarcerated.
Effect:
The Agency improperly received and used funds for payments made on behalf of incarcerated juveniles.
Recommendation:
ALA staff recommend the Agency design and implement internal controls over compliance to ensure that Medicaid benefits are properly suspended when eligible juveniles are incarcerated and properly reinstated when leaving DYS facilities, based on guidance set forth in the Medical Services Policy Manual and in compliance with federal regulations.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. Since June 2023, DYS has made multiple changes to improve monitoring of suspension and reinstatement of Medicaid eligibility for incarcerated juveniles. For juveniles with SSI Medicaid, the Social Security Administration (SSA) is responsible for suspending Medicaid coverage. All incarcerations for cases noted in the findings involving SSI Medicaid were reported timely to SSA by the agency. DYS closely monitors these cases and continues to send closure requests to SSA until the cases are closed out. DYS has also updated its communication processes with DCO to ensure cases are suspended and reinstated in a timely manner. All payments noted as occurring during the incarceration period were capitated payments made for the PASSE, Dental Managed Care, NET, and PCCM programs. Some audit findings highlighted payments made for members during their month of incarceration, which is acceptable for all programs. The full monthly rate is paid for Dental Managed Care, NET, and PCCM even if the member is only eligible for part of the month. The PASSE program operates on a per-diem basis and any payments made for days when the member is ineligible are recouped as part of a monthly reconciliation.
The agency currently has a reconciliation process for all four programs that identifies payments made after a member’s incarceration date that should be recouped. Some payments noted in the findings will be recouped as part of a reconciliation process that has yet to run. In addition to the current reconciliation process, the agency is in the process of developing an MMIS change that will automatically update member profiles to accurately reflect incarceration dates. This will ensure capitated payments are paused and reinstated in a timely manner and that recoupments and repayments are subsequently processed.
Anticipated Completion Date: 6/30/2024
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Finding Number: 2023-029
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5MAP; 05-2305AR5MAP
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Eligibility
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
Not applicable
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statues, regulations, and terms and conditions of the award.
In addition, 42 CFR § 435.1009 states that federal financial participation (FFP) is not available for payments made on behalf of individuals who are inmates in public institutions. To be considered an inmate of a public institution, a person must be living in an institution that is the responsibility of a governmental unit or over which a governmental unit exercises administrative control.
Additionally, Section 6008 of the Families First Coronavirus Response Act (FFCRA) allowed for a temporary Federal Medical Assistance Percentage (FMAP) increase during the Public Health Emergency (PHE). In accordance with FFCRA, a state is not eligible for the temporary FMAP increase if the state reduces the medical assistance for which the beneficiary is eligible for beneficiaries who were enrolled as of March 28, 2020, or become enrolled after that date but no later than the last day of the month in which the emergency period ends.
Condition and Context:
The State received approval for a Medicaid PHE state plan amendment that became effective on March 18, 2020. The amendment allowed certain eligibility requirements to be waived through the duration of the PHE and included the following:
• Waived requirements related to timely processing of applications and renewals.
• Delayed processing of renewals and extended deadlines for families to respond to renewal requests.
• Delayed action on closure for certain changes in circumstances for Medicaid beneficiaries. However, the following circumstances for closure will be allowed during the PHE:
Recipient ceases to be a resident of the state.
Voluntary closure
Eligibility was due to fraud, abuse or perjury, or death.
• Waived co-payments for COVID-19 testing and treatment for the duration of the PHE.
In December 2022, the federal Consolidated Appropriations Act, 2023 gave states the authority to begin the process of re-determining eligibility for Medicaid enrollees kept on Medicaid rolls due to continuous coverage requirement beginning April 1, 2023, and to reinstate routine eligibility operations. States have 12 months to initiate renewals and an additional two months to complete the process.
ALA selected 60 active Medicaid recipient identification numbers to determine if eligibility determinations and redeterminations were made in accordance with the State Plan and relevant PHE rules.
Condition and Context (Continued):
ALA review revealed the following deficiencies:
• If an incarcerated recipient is eligible for at least one day of service during the month of incarceration, the entire payment for that month would be allowed and not recouped. All payments after the month of incarceration would be recouped.
One recipient was incarcerated on September 20, 2022. The Agency continued to pay claims during the incarceration for dates of service in October and November 2022 totaling $1,127. The claim payments were not recouped as required. Questioned costs representing the federal portion totaled $874.
• One recipient was simultaneously enrolled in dual Medicaid state aid categories. ALA made the Agency aware of the error, which the Agency corrected on November 14, 2023. Because the state aid categories are from the same funding source, no questioned costs were identified.
• The Agency improperly moved one recipient from ARKids A - Medicaid to ARKids B based on a change of income. As this change would result in a reduction in services provided to the recipient, it was inconsistent with the requirements of section 6008(b)(3) of the FFCRA. No questioned costs were identified.
• The Agency determined an incorrect end date for one recipient’s coverage under the Pregnant Woman-Limited (PW) category. Due to this error, coverage under PW ended prior to the birth of her child and resulted in the Agency improperly opening a Parent Caretaker Relative case under PHE rules. The Agency later reopened the PW segment, which resulted in dual segments within the system. No questioned costs were identified.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$874
(Known questioned costs greater than $25,000 for a type of compliance requirement are required to be reported. In evaluating the effect of questioned costs on the opinion on compliance, the auditor considers the best estimate of total costs questioned [likely questioned costs], not just the questioned costs specifically identified. The auditor must also report known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program.)
Cause:
Errors in the ARIES system resulted in improper eligibility determinations. Additionally, MMIS claims payment system improperly reopened a previously closed eligibility segment. According to Division of County Operations (DCO) staff, the cause of previously closed eligibility segment’s reopening in MMIS is unknown at this time.
Effect:
Expenditures were not accurately reported to the federal awarding agency, were not paid from the appropriate grant award, and were not funded at the appropriate federal rate.
Recommendation:
ALA staff recommend the Agency design and implement internal controls over compliance to ensure that recipients are placed in the appropriate recipient aid categories.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency is in the process of developing an MMIS change that will automatically update member profiles to accurately reflect incarceration dates. This will ensure capitated payments are paused and reinstated in a timely manner and that recoupments and repayments are subsequently processed. The agency is conducting an ARIES system review to determine the root cause of the incorrect eligibility determinations and will identify and implement any needed updates to the automatic renewal process.
Anticipated Completion Date: 6/30/2024
Contact Person: Mary Franklin
Director, Division County Operations
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-681-8377
Mary.Franklin@dhs.arkansas.gov
Finding Number: 2023-030
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
AL Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2305AR5MAP
Federal Award Year(s): 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Provider Eligibility (Fee-for-Service)
Type of Finding: Noncompliance and Material Weakness
Repeat Finding:
A similar issue was reported in prior-year finding 2022-034.
Criteria:
According to section 140.000, Provider Participation, any provider of health services must be enrolled in the Arkansas Medicaid Program prior to reimbursement for any services provided to Arkansas Medicaid beneficiaries. Enrollment is considered complete when a provider has signed and submitted the following forms:
• Application.
• W-9 tax form.
• Medicaid provider contract.
• PCP agreement, if applicable.
• EPSDT agreement, if applicable.
• Change in ownership control or conviction of crime form.
• Disclosure of significant business transactions form.
• Specific license or certification based on provider type and specialty, if applicable.
• Participation in the Medicare program, if applicable.
42 CFR § 455.414 (effective March 25, 2011, with an extended deadline of September 25, 2016, for full compliance) states that the State Medicaid Agency must revalidate the enrollment of all providers at least every five years. Revalidation includes a new application; satisfactory completion of screening activities; and if applicable, fee payment. Screening activities vary depending on the risk category of the provider as follows:
• The limited-risk category includes database checks.
• The moderate-risk category includes those required for limited plus site visits.
• The high-risk category includes those required for moderate plus fingerprint background checks.
Condition and Context:
From a population of 11,165, ALA staff reviewed files of 40 providers to ensure sufficient, appropriate evidence was provided to support the determination of eligibility, including compliance with revalidation requirements. ALA’s review revealed deficiencies with three of the provider files as follows:
Moderate-risk category:
Sample item 21: This provider enrolled on August 28, 2018, and the Agency failed to provide documentation of the required site visit during enrollment. As a result, amounts paid to the provider from August 28, 2018 through February 29, 2020, and May 12, 2023 through June 30, 2023, are considered questioned costs. Questioned costs totaled $9,611.
In accordance with the CMS 1135 waiver, revalidations, site visits, and fingerprint background checks were paused from March 1, 2020 through May 11, 2023, as a result of the Public Health Emergency (PHE). Amounts paid to the provider during the PHE are not included in the questioned costs noted above.
Condition and Context (Continued):
Limited-risk category:
Sample item 29: This provider enrolled on February 3, 2015. A revalidation was due on February 3, 2020, but was not completed until June 28, 2023. As a result, amounts paid to the provider from February 3, 2020 through February 29, 2020, and May 12, 2023 through June 27, 2023, are considered questioned costs. Questioned costs totaled $5,934.
In accordance with the CMS 1135 waiver, revalidations, site visits, and fingerprint background checks were paused from March 1, 2020 through May 11, 2023, due to the PHE. In addition, revalidations due during the PHE could be extended to November 11, 2023. However, this provider’s revalidation was due prior to March 1, 2020; therefore, the extension is not applicable in this case. Amounts paid to the provider during the PHE are not included in the questioned costs noted above
Sample item 32: The Agency failed to provide documentation of the provider’s certification that covered any portion of fiscal year 2023. Questioned costs totaled $18,757.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$34,302
Cause:
The Agency had asserted that, effective May 31, 2019, it established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider enrollment application documents, provider revalidation, site visits, and fingerprint background requirements. Although testing results support that improvements have been made since the new procedures were implemented, deficiencies continued to exist during fiscal year 2023.
Effect:
Claims were processed and paid to providers that did not meet all the required elements and, therefore, were ineligible.
Recommendation:
ALA staff recommend the Agency review and strengthen controls to ensure that required revalidations are performed timely and required enrollment documentation is maintained to support provider eligibility.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. Effective May 31, 2019, DMS established and implemented new procedures to improve the following areas of provider enrollment: maintenance of provider application documents, provider revalidation, site visits and fingerprint background requirements. The deficiency noted for the provider referenced in sample item 21 relates to non-compliance with site visit requirements pre-dating May 31, 2019 and CMS’s approval of the agency’s corrective action plan. A site visit was performed for this provider on 8/31/2023. The agency has created system controls that require site visits before a moderate or high-risk provider may enroll with Arkansas Medicaid.
The provider noted in sample item 29 began the revalidation process in December of 2019 and their application was set to terminate at the end of February 2020. The provider was not terminated before beginning of the Public Health Emergency (PHE) with their revalidation date being reset to 9/5/2023 when the CMS 1135 waiver flexibilities were implemented. The provider has since timely completed the revalidation process.
The provider noted in sample item 32 did not keep its certification up to date for the audit period. During the PHE, many licensing and certification agencies were not processing new requests or renewals for extended periods of time. A review of this provider’s information revealed that it is likely that they would have been able to maintain continued certification. The agency has automated its certification verification process to terminate providers if a certification lapses for any reason.
Anticipated Completion Date: Complete
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Finding Number: 2023-031
State/Educational Agency(s): Arkansas Department of Human Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 93.778 – Medical Assistance Program
(Medicaid Cluster)
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): 05-2205AR5MAP; 05-2305AR5MAP
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Special Tests and Provisions –
Medicaid Recovery Audit Contractors (RACs)
Type of Finding: Material Noncompliance and Material Weakness
Repeat Finding:
Not applicable.
Criteria:
In accordance with 45 CFR § 75.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and terms and conditions of the award.
In addition, 42 CFR § 455.502 established the Medicaid Recovery Audit Contractor (RAC) program as a measure for States to promote the integrity of the Medicaid program. States must enter into contracts with one or more eligible Medicaid RACs to carry out the activities described at 42 CFR 455.506, which includes reviewing claims submitted by providers or other individuals for which payment has been made to identify underpayments and overpayments and recouping overpayments. Under 42 CFR § 455.516, a State may seek to be excepted from some or all Medicaid RAC contracting requirements by submitting a written justification to CMS requesting CMS review and approval through the State Plan amendment (SPA) process.
Condition and Context:
ALA made inquiries to determine if there were any internal controls in place for which testing could be performed. It was determined that there were no documented internal controls nor were there any internal controls in place at the Agency that pertained to the Medicaid RAC program.
In addition, ALA performed testing to determine if the State had established a Medicaid RAC with an eligible contractor that was conducting the required Medicaid RAC activities in accordance with the approved state plan including any exceptions.
The results of ALA testing revealed that, although there was no SPA in place that authorized an exception for the State to not have a Medicaid RAC in place, there were no contracts in place with any RACs for the year ended June 30, 2023.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
None
Cause:
The Agency did not adequately develop internal control procedures for its staff to ensure compliance with federal regulations related to the Medicaid RAC program. In addition, documentation obtained during fieldwork indicated that the Agency acknowledged in November 2022 that an updated SPA needed to be submitted to CMS either to establish the Office of Medicaid Inspector General (OMIG) as the RAC or to request an exemption from the requirement to contract with a RAC. However, the Agency had not requested a waiver through a SPA as of fieldwork date of October 3, 2023.
Effect:
Failure to implement appropriate procedures for internal controls led to the Agency’s non-compliance with federal regulations pertaining to the Medicaid RAC program.
Recommendation:
ALA staff recommend the Agency either contract with an eligible RAC to perform the functions required under the Medicaid RAC program, in accordance with the approved Medicaid State Plan, or submit an SPA to CMS, as the Agency indicated was its intent, in a timely manner either to establish OMIG as the RAC or to request an exemption from the requirement to contract with a RAC.
Views of Responsible Officials and Planned Corrective Action:
DHS concurs with the finding. The agency will request that CMS grant a full exemption from the requirement that a state enter a contract with a Medicaid Recovery Audit Contractor.
Anticipated Completion Date: 5/31/2024
Contact Person: Elizabeth Pitman
Director, Division of Medical Services
Department of Human Services
700 Main Street
Little Rock, AR 72201
501-244-3944
Elizabeth.Pitman@dhs.arkansas.gov
Finding Number: 2023-032
State/Educational Agency(s): Arkansas Department of Commerce –
Division of Workforce Services
Pass-Through Entity: Not Applicable
ALN Number(s) and Program Title(s): 97.050 – COVID 19: Presidential Declared Disaster
Assistance to Individuals and Households – Other Needs
(Supplemental Payments for Lost Wages)
Federal Awarding Agency: Federal Emergency Management Agency
Federal Award Number(s): 4518DRARSPLW
Federal Award Year(s): Not Applicable
Compliance Requirement(s) Affected: Activities Allowed or Unallowed;
Eligibility
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
Not applicable
Criteria:
In accordance with 2 CFR § 200.303, a non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the award.
In addition, 2 CFR § 200.516(a)(6) requires the auditor to report known or likely fraud affecting a federal award.
Condition and Context:
In state fiscal year 2023, the Division of Workforce Services (DWS) identified 64 claims paid for Lost Wages Assistance (LWA) totaling $67,500 as likely fraud. This is in addition to the claims identified in the previous fiscal years.
Statistically Valid Sample:
Not a statistically valid sample
Questioned Costs:
$67,500
Cause:
In response to the increase in demand for services/benefits, the State relaxed controls over identify verification and income verification for the program during fiscal year 2021. DWS continued to identify claims in fiscal year 2023 that were paid during fiscal year 2021.
Effect:
Lack of appropriate internal controls resulted in overpayments of federal funds.
Recommendation:
ALA staff recommend the Agency continue to strengthen controls over benefit payments to ensure that payments are made in the correct amounts and to eligible claimants. Additionally, ALA staff recommend the Agency continue to seek recoupment of the identified overpayments, returning them to the appropriate source.
Views of Responsible Officials and Planned Corrective Action:
Due to the health concerns of the pandemic as well as unprecedented claims volume, claimants were not required to come into a local office for identity verification, the waiting week was waived for 2020, and the requirements for work search were adjusted in order to protect employees and claimants.
Before the pandemic, all claimants were required to come to the local office to verify their identity. Removing these process controls resulted in several consequences as itemized below:
• By waiving the waiting week, the claimant was able to receive payment the following week. For example, a fraudster could file a claim on Friday, then receive payment on Sunday, removing the typical week that an employer would respond to validate the separation from employment.
• The information mailed to the employer and claimant were not received before payments were made due to the lack of waiting week.
• Businesses were closed at that time and did not respond to the unemployment paperwork timely to report fraudulent claims.
• Identity theft fraudsters often changed the address of the individuals for which they had filed claims in order to prevent the victims from being notified and reporting the fraud.
In 2020, the work search requirement was reinstated. In 2021, all claimants had to verify their identity in-person at the local office before the claim was opened for a regular unemployment claim. The UIdentify program was utilized for identity verification for the PUA claims filed after January 1, 2021. The waiting week was reinstated in January 2021, which lengthened the time period for employers to respond before payment was issued.
In addition, Internal Audit created the Fraud Investigation Unit and hired additional staff to focus on investigating the identity theft fraud claims. When the perpetrator is identified, a determination is issued and an overpayment is established in the perpetrator’s name/SSN for collection. The NASWA Integrity Data Hub (IDH) crossmatch was implemented in July 2020 as well in an effort to identify additional fraudulent claims for investigation.
ADWS was the first UI program to implement 2 projects with the Department of Labor for identity verification. One is using Login.gov and the other involves the United States Postal Service where they verify the identity of claimants for using multifactor authentication and in person presentation of ID. The Login.gov pilot started in 2022 and the USPS pilot project started in 2023.
1. The Login.gov project uses the current system that Federal agencies use to verify identity and went into service in Arkansas as of March 2022. A link is given to the claimant, when they select verify ID through login.gov and go through the steps to verify their identity through the federal government system. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
2. The United States Postal Service project, implements in Arkansas March 2023, offers the claimant the same link as Login.gov, but grants the additional option to verify their identity at any US Post Office in the country. A barcode is created and must be taken with a valid government-issued ID (they are given examples) along with proof of current address to the post office in person. If they are approved, we are sent an IA2 verification to the UI processing system to allow staff to match back to the claim to prove ID verification.
Anticipated Completion Date: Corrective action was taken for the ALA staff recommendations
Contact Person: Sheri Rooney
Program Administrator
Arkansas Division of Workforce Services
#2 Capitol Mall
Little Rock, AR 72201
501-682-3382
Sheri.Rooney@arkansas.gov
Finding Number: 2023-033
State/Educational Agency(s): University of Arkansas for Medical Sciences
Pass-Through Entity: Not applicable
AL Number(s) and Program Title(s): 93.600 – Head Start Cluster
Federal Awarding Agency: U.S. Department of Health and Human Services
Federal Award Number(s): Unknown*
Federal Award Year(s): 2022 and 2023
Compliance Requirement(s) Affected: Reporting
Type of Finding: Noncompliance and Significant Deficiency
Repeat Finding:
A similar issue was reported in prior-year finding 2022-045.
Criteria:
The requirements for reporting are contained in Section 200.328 which states unless otherwise approved by OMB, the Federal awarding agency must solicit only the OMB-approved governmentwide data elements for collection of financial information (at time of publication the Federal Financial Report or such future, OMB approved, governmentwide data elements available from the OMB designated standards lead. This information must be collected with the frequency required by the terms and conditions of the federal award.
Condition and Context:
UAMS did not submit the annual Federal Financial Report (FFR) and the annual Real Property Status Report (SF-429) timely.
Statistically Valid Sample:
This sample was not intended to be, and was not, a statistically valid sample.
Questioned Costs:
$0
Cause:
UAMS’ processes did not ensure reports were submitted timely.
Effect:
Effect not provided in the report received from other external auditor.
Recommendation:
We recommend that management design and implement internal controls that will ensure that all required reports are submitted timely.
*Federal Award Number(s) not provided in the report received from other external auditor.
Views of Responsible Officials and Planned Corrective Action:
Due to the prior year finding, management set a goal to ensure reporting deadlines are met by hiring an additional grants accounting staff member dedicated to monitor the head start program regulations and ensure reports are completed and filed timely. Grants accounting staff planned to utilize checklist functionality in the new financial system that will send required task notifications prior to reporting due dates to assist in meeting reporting deadlines. A new staff member was hired in July 2023. The responsibilities of the new staff member required several months of training and additional time to reconcile the head start accounts causing the January 30, 2023, report to be filed 3 days late. New processes have been implemented where the staff member assigned to the head start program meets weekly with the head start finance manager and director to discuss expenses allocated to the grants, assign tasks to be complete each week, and discuss reporting needs and deadlines.
The new implemented processes have proven to assist in proper oversight and accurate financial management of the grants and allowed us to meet the last reporting deadline in November 2023.
Anticipated Completion Date: Implemented
Contact Person: Kristy L. Walters, MBA, CPA, CHFP, CISA
Associate Vice Chancellor for Finance & Treasurer
University of Arkansas for Medical Sciences
UAMS, 4301 W. Markham St, Slot 632
Little Rock, AR 72205
(501) 686-6836, (501) 686-8137
walterskristy@uams.edu
Views of Responsible Officials and Planned Corrective Action:
Due to the prior year finding, management set a goal to ensure reporting deadlines are met by hiring an additional grants accounting staff member dedicated to monitor the head start program regulations and ensure reports are completed and filed timely. Grants accounting staff planned to utilize checklist functionality in the new financial system that will send required task notifications prior to reporting due dates to assist in meeting reporting deadlines. A new staff member was hired in July 2023. The responsibilities of the new staff member required several months of training and additional time to reconcile the head start accounts causing the January 30, 2023, report to be filed 3 days late. New processes have been implemented where the staff member assigned to the head start program meets weekly with the head start finance manager and director to discuss expenses allocated to the grants, assign tasks to be complete each week, and discuss reporting needs and deadlines.
The new implemented processes have proven to assist in proper oversight and accurate financial management of the grants and allowed us to meet the last reporting deadline in November 2023.
Anticipated Completion Date: Implemented
Contact Person: Kristy L. Walters, MBA, CPA, CHFP, CISA
Associate Vice Chancellor for Finance & Treasurer
University of Arkansas for Medical Sciences
UAMS, 4301 W. Markham St, Slot 632
Little Rock, AR 72205
(501) 686-6836, (501) 686-8137
walterskristy@uams.edu