Audit 303323

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.

Finding 2023‐001—Significant Deficiency in Internal Controls over Compliance: Research and Development Cluster Program—Research and Development Cluster (R&D) Criteria—Compliance with the financial management and internal control requirements outlined in Title 2 below, exhibited the following U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; Sections 200.302‐303 (“Section 200.302‐303”) is required for all federal awards. Section 200.302‐303 outlines the various requirements around documentation and internal controls. Condition and Context—Baystate Health’s internal controls over R&D allowable costs, special tests and provisions, and amounts reported on the schedule of expenditures of federal awards (SEFA) in accordance with Section 200.302‐303 were not appropriately designed and implemented, or operated, effectively. Specifically, during the 2023 audit, the following conditions were identified:  In instances, controls, as described below, exhibited the following: o Certain roles and responsibilities within the Sponsored Programs Administration (SPA) were inadequately defined and not understood by control owners o inconsistent documentation evidencing review over R&D compliance requirements o lack of a central repository for documentation related to the performance of internal control procedures and compliance with grant requirements  For five out of 40 National Institute of Health salary cap selections related to special tests and provisions, the monthly review of the summary report by grant activity was not adequately and consistently performed. The summary report is editable by end users and the review performed was not precise enough to identify formula errors in the calculations; or key personnel who were incorrectly excluded from the report.  The review of indirect costs and fringe benefits on the SPA intake form was not precise enough to identify errors in a timely manner. The SPA form includes key grant data and is used in the initial setup of new grants to input indirect cost and fringe benefit rates in the general ledger system. For two out of 16 selections of indirect costs and fringe benefit amounts errors were not identified on a timely basis and were corrected in a subsequent period.  The review and preparation of the SEFA for R&D grants was not timely and precise enough to ensure accuracy. This resulted in a lack of accuracy of grant award information presented on the SEFA; as well as the inclusion of grant expenses pertaining to prior fiscal periods on the current year’s SEFA since they were not identified timely in the prior years. Approximately $39 thousand in R&D expenditures related to prior fiscal years was included on the 2023 SEFA as they were not identified timely in prior fiscal years. These control deviations when considered in the aggregate are indicative of a significant deficiency in the design, implementation, and operating effectiveness of the internal controls. Questioned Costs—none Cause—Personnel responsible for internal controls over compliance related to R&D were not adequately aware of the documentation requirements of Section 200.302‐303. Additionally, the internal control framework is not clearly defined and relies heavily on manual control processes that are highly susceptible to human error. Reviews were not performed a precise enough level and on a timely basis. Effect—Failures in internal controls have the potential to result in instances of noncompliance with R&D grant requirements. Recommendation— The delay in completing the September 30, 2023, Uniform Guidance audit procedures as well as the deficiencies in internal controls identified during the audit related to R&D indicates that the controls over compliance for R&D should be assessed and, where necessary, corrective action needs to be taken to enable Baystate Health to produce appropriate supporting documentation on a timely basis and maintain appropriate internal controls over all compliance requirements. Specifically, we recommend that:  The roles and responsibilities of the individuals involved in the SPA should be challenged to ensure that all critical functions are addressed; the distribution of responsibilities is appropriate; and positions include an element of cross‐training. The capabilities of the individuals and the level of resources should be assessed to make sure that they are consistent with the responsibilities assigned.  Policies and procedures should be developed, documented and maintained/updated for all significant grant‐related activities. On‐going monitoring should take place to assure that such policies and procedures are executed accurately. Internal controls could be enhanced by standardizing best practices and providing ongoing training regarding federal requirements over compliance and documentation.  A system should be implemented to maintain documentation related to internal controls and compliance requirements for federal grants in such a way that this documentation is easily accessible and clearly interpretated.  The process for calculating and reviewing salary cap requirements should be revised to include a check that the reports reviewed as part of the control process are complete and accurate.  Controls should be implemented consistently to facilitate a timely review of indirect cost and fringe benefit rates at the initial set‐up of the activity within the general ledger.  A more thorough closing process should be performed to review information included on the SEFA and to record grant‐related expenses timely to minimize the risk of recognizing out‐of‐period expenses for SEFA reporting.