Audit 305097

Finding 2023-031 (other noncompliance / significant deficiency – new finding) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: United States Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles CONTROLS OVER REGULATIONS FOR CERTAIN MAXIMUM MONTHLY ALLOWANCES RIDOH controls over the determination of monthly benefit allowances within the program need to be enhanced to ensure participants’ monthly commodity thresholds comply with federal regulations. Background: The Special Supplemental Nutrition Program for Women, Infants and Children (WIC) is a federally funded nutrition program. The program’s mission is to safeguard the health of low-income women, infants, and children (up to the age of 5) who are at nutritional risk. The program provides nutritious foods to supplement diets, information on healthy eating, breastfeeding promotion and support, and referrals to health care. The Food and Nutrition Service (FNS) provides federal grants to State agencies, which are responsible for the administration of the WIC Program at the State level. Crossroads is the WIC eligibility management information system that provides case management, vendor management and fiscal management of WIC funds. Criteria: Uniform Guidance federal regulation 7 CFR §246.10(e)(9) Table 1 Footnote 7, notes that State agencies must provide at least the Full Nutritional Benefit (FNB) authorized to non-breastfed infants up to the maximum monthly allowance (MMA) for the physical form of the product specified for each food package category. Condition: We reviewed a random sample of forty monthly benefit issuances within the Crossroads System and noted three instances where the infant formula benefit issuance exceeded the infant formula MMA. In the three exceptions noted, the cost of additional formula units issued and expended approximated $130 during fiscal 2023. We evaluated the likely noncompliance caused by the inaccurate system determination of authorized infant formula benefits for the fiscal year. This evaluation determined that while additional questioned costs likely resulted, the excess formula benefit did not result in material noncompliance relating to allowable costs. Cause: RIDOH misinterpreted the regulation for the program (to properly calculate the MMA for infant formula) for a period which included fiscal year 2023. RIDOH interpreted the regulations using the MMA of 870 fluid ounces reconstituted powder for the rounding up method, rather than the FNB of 806 fluid ounces. Therefore, the Crossroads System was rounding up the MMA to 870 fluid ounces reconstituted powder, resulting in the over-issuance of benefits for the related eligibility period. Effect: RIDOH exceeded the MMA benefit for certain infant formula benefit issuances for eligible program participants. Questioned Costs: $130 Valid Statistical Sampling: Yes RECOMMENDATION 2023-031 Review and correctly implement (if required) regulations for issued food benefit packages in accordance with required federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-032 (significant deficiency – new finding) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles; Eligibility INFORMATION SYSTEMS SECURITY CONSIDERATIONS RELATING TO THE CROSSROADS MANAGEMENT INFORMATION SYSTEM Controls over logical access to the Special Supplemental Nutrition Program for Women, Infants and Children’s (WIC) Management Information System (Crossroads) can be enhanced to ensure the timely removal/deactivation of user access privileges upon termination of employment at participating local agencies or clinics. RIDOH should monitor complementary user entity controls performed by its subcontractor in conjunction with its oversight of information systems security for the Crossroads System. Background: Program specific data and other information for eligible participants of the State’s WIC program is maintained within the Crossroads System. RIDOH contracts the maintenance and operation of the system to a third party and that vendor contracts with a Web Services Provider to host the application. The Crossroads System is utilized by RIDOH and other local agencies and clinics that provide WIC services. RIDOH receives a Service Organization Control (SOC) report for the Web Services Provider that it utilizes in conjunction with its monitoring of information systems security over the system. Criteria: The State Division of Enterprise Technology Strategy and Services (ETSS) promulgates the State’s information systems security policies and procedures. ETSS policies specific to logical access controls include policy 4.2, Account Management, which requires State agencies to monitor the use of information system accounts. This policy requires user accounts to be deactivated or terminated within one week when a user transfers or terminates employment. Agencies are also required to annually review information system accounts for compliance with account management requirements and to semi-annually review privileged accounts. Privileged and non-privileged accounts should be deactivated after 60 and 90 days of inactivity, respectively. Management has responsibility for the adequacy of the design and operation of an entity’s control structure, including functions performed by external parties. This responsibility also includes documenting and reviewing designated user entity controls which the service organization assumes are in place and operating effectively for the proper and secure use of the contracted entity’s services. Condition: WIC officials are responsible for authorizing and managing access to the Crossroads System. The policy for removing individuals from the Crossroads System mandates that the local agency or clinic notify WIC staff of the user(s) requiring access removal/revocation. The system automatically revokes access when a user does not access the system for 90 days. All participating local agencies and clinics that utilize the Crossroads System are required to contact WIC staff to initiate user deactivation from the System upon terminating employment. In circumstances where a user agency does not request access revocation for an employee upon termination, WIC officials are relying on the system to deactivate these users after the allotted 90 days. WIC officials are not currently monitoring system access to ensure that access is terminated in a timely manner when a user is no longer employed or authorized to use the system. WIC’s current practices do not comply with the State’s policies and procedures for managing system user access and are not considered IT security best practices. Our evaluation of system access identified five (5) individuals who had not logged in for 60+ days. These individuals were no longer employed and should not have remained able to access the system. While WIC officials review the SOC report for the Web Services Provider, the complementary user entity controls (CUEC) responsibilities included in the report are delegated to the contractor that ensures the maintenance and operation of the system. Due to the importance of securing the system, which administers eligibility for WIC as a federal program, WIC officials should have procedures in place to monitor and document the contractor’s performance of designated CUECs. Cause: Controls over logical access to the Crossroads System do not comply with ETSS’s adopted policies and procedures. Lack of monitoring of contractor responsibility for performance of user entity controls. Effect: Users can continue to access the system after employment termination which could result in malicious activity or unauthorized changes that impact program benefits. Nonperformance of user entity controls by the contractor could compromise security over the Crossroads System. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-032a Enhance controls to ensure that the Crossroads System’s user access privileges are deactivated by RIDOH immediately upon a user’s separation from the associated local agency or clinic’s employment. 2023-032b Monitor and document contractor performance of user entity controls identified in the SOC report for the Web Services Provider. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-033 (other noncompliance / significant deficiency – repeat finding – 2022-059) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019-2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles TIME AND EFFORT REPORTING RIDOH can enhance controls over time and effort reporting to ensure accurate allocations and reimbursements from federal programs. Background: RIDOH has built a robust, yet complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State’s payroll system and accounting system is performed on a quarterly basis. Amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time charged to various programs. Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(i)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. While RIDOH was able to provide timesheets for all selected pay periods, for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 6 of the 80 selected weekly timesheets lacked a supervisor signature. This was considered a control deficiency, but not noncompliance since the employee reported time and effort which supported allocation to the ELC program. • One individual noted in our ELC payroll sample (4 weekly time sheets) did not have their recorded payroll adjusted through the subsequent quarterly entry to accurately reflect work performed on federal programs. This resulted in payroll costs being overallocated to the ELC program (questioned costs - $3,355). • For both ELC and the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), we noted time and effort recorded to generalized timesheet category codes (i.e., Administrative Support, Finance and Operations, ICS – Incident Command System) lacked sufficient detail (i.e., underlying activity performed in support of related category code) to support its specific federal program allocation. Questioned costs could not be determined due to the lack of time and effort detail reported. Cause: Policies and procedures were ineffective to ensure amounts claimed and reimbursed by federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet detail prevented direct verification of recorded timesheet activities to the underlying charges on federal programs. Effect: Personnel costs reimbursed from federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: $3,355 (ELC – 93.323) Valid Statistical Sampling: Yes RECOMMENDATION 2023-033 Enhance weekly reporting of time and effort to improve documentation and support for personnel costs charged to federal programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-034 (other noncompliance / material weakness – repeat finding – 2022-041) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Eligibility CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance programs and ensure that individuals meet the various program requirements to receive benefits. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. During the pandemic, the State enhanced application processing by implementing new “cloud-based” technologies designed to handle significant applicant volume and to employ controls to validate applicant identity and prevent program fraud. In contrast, the legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2023, benefit payments exceeded $150 million. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines. Unemployment Insurance (UI) is funded by a tax on employers. UI is for individuals who earn wages from an employer who is required by law to pay the UI tax. UI work search requirements dictate that all unemployment insurance claimants are required to be actively seeking work. To receive UI benefits, eligibility requirements include: 1. Applicants to be unemployed through no fault of their own OR that their work hours MUST have been reduced. 2. All unemployment insurance claimants are required to actively seek work. 3. For non-exempt claimants, per U.S. DOL “Basic Registration” into EmployRI is required at the time the initial UI claim is filed and “Full Registration” occurs once the claimant is active in the system by completing a work search activity (e.g., posts a resume, completes a job search, etc.). 4. Per RI DLT Memorandum of UI Résumé Project (REF: 2019-UI-PROC-1517) “UI customers are required under Rule 1.18(F)(4) and (G) to post a résumé by the 6th week of benefit payments.” Collections on overpayments due to error, ineligibility, or fraud must be reported and credited to the appropriate source that funded the unemployment insurance benefits. Condition: While our testing found that unemployment insurance payments complied with most program eligibility requirements, noncompliance with certain requirements (specifically related to work search requirements) was noted. We tested a random sample of 60 individual benefit payments totaling $400,826 in fiscal 2023. In conjunction with our testing, the following exceptions were deemed to be in noncompliance with eligibility requirements that resulted in ineligible benefit payments (sample payments for ineligible individuals totaled $1,413): • 1 of 60 (2%) was not denied/sent to adjudication for ineligible termination of employment. Scanned documentation (form UI425) in the Onbase Imaging system from the employer stating claimant was discharged/fired from employment for violating company policy, however, AS400 states claimant’s reason of termination was for Lack of Work. • 1 of 60 (2%) recorded the claimant’s name incorrectly in multiple screens of the UI mainframe system (AS400), OnBase Imaging system, and the EmployRI system (Evidence of identity verification due to case record deficiencies was lacking). • 2 of 60 (4%) were not registered in the EmployRI system. • 5 of 60 (8%) did not have a résumé in the EmployRI system. Actual questioned costs during our audit period totaled $30,943 for these individuals. In addition, we identified the following deficiencies in work requirement documentation during our testing that we deemed to be documentation deficiencies with State UI requirements. However, these deficiencies were not deemed to represent ineligible benefit payments: • 31 of 60 (52%) had incomplete résumés in the EmployRI system. Each résumé had between 20%-60% completion rates and remained offline. • EmployRI system does not accurately record résumé modification dates in the system. The system changes the modification date upon viewing a résumé losing the audit trail of when it was last modified. Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to unemployment insurance benefit operations. Planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed. Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration). Effect: UI benefits paid to ineligible individuals that did not comply with program eligibility requirements. Questioned Costs: $30,943 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-034a Implement compensating controls to identify non-compliance with program requirements. 2023-034b Ensure that on-going considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-035 (material noncompliance / material weakness – repeat finding – 2022-042) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment was the result of the employer’s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Unemployment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1.) In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a department request for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: During fiscal 2023, DLT was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. The significant amount of fraud experienced during the pandemic coupled with the system not assessing the required penalties on these overpayments continued to result in material noncompliance with federal regulations during fiscal 2023. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization. Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-035 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)). Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-036 (material weakness – new finding) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employer Tax Unit Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – Employer Experience Rating CONTROLS OVER EMPLOYER EXPERIENCE RATING Controls over the processing of employer tax were insufficient to identify changes in tax rates and improper disbursement of refunds. Background: Certain benefits accrue to states and employers by having a federally approved experience-rated UI tax system. All states currently have an approved system. For the proper administration of the system, the DLT maintains accounts, or subsidiary ledgers, on State UI taxes received or due from individual employers, and the UI benefits charged to the employer. The employer’s “experience” with the unemployment of former employees is the dominant factor in the DLT computation of the employer’s annual State UI tax rate. The computation of the employer’s annual tax rate is based on State UI law (26 USC 3303). Experience rating systems are generally highly automated systems. DLT relies on its old mainframe system to determine experience ratings for employers. When employers appeal their employer tax rate, DLT will evaluate the appeal and, if required, evaluate and redetermine the experience rating for that employer. This process is highly dependent on manual processes and key personnel within the Employer Tax Unit. Criteria: Management is responsible for establishing and maintaining effective internal controls to collect and process employer taxes consistent with federal program guidelines including appropriate procedures to ensure employers pay the correct tax rate and tax payments are received timely. Condition: While our testing found that experience rates determined or adjusted by DLT during fiscal 2023 were proper, internal control procedures could be further enhanced to improve the documentation of tax rate changes and identification of errors that could result during current manual processes. Changes in the employer tax rate result in a refund or bill, and these changes are approved and updated by a single individual. Refund lists are manually reviewed and recalculated by another individual; however, refund thresholds reduce the amount of review performed and evidence of the review is not adequately documented. DLT’s manually intensive processes lack formalization, result in inadequate segregation of duties, and are prone to error. DLT’s mainframe system has reached end of life, is reliant on key employees for effective operation, and poses significant business continuity risks to unemployment insurance operations. Modernization of DLT’s system should prioritize enhancements to create proper segregation of duties and reduce manual processes to ensure accuracy of rate changes prior to disbursement of tax refunds. Cause: Control deficiencies exist over the determination of employer experience ratings that are utilized in UI employer tax rate calculations. DLT’s current mainframe requires manual processing of employer experience rating adjustments which are susceptible to error and lack documentation. The department is aware of the system limitations and has communicated concern over its lack of IT support to keep the system running in the future. Effect: Potential noncompliance if employer experience ratings are not determined in accordance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-036a Implement and document compensating controls to identify non-compliance with program requirements to prevent and detect changes in tax rates and improper disbursement of refunds. 2023-036b Ensure that the future modernization of UI technology ensures that adjustments to employer experience ratings are more automated, clearly documented, and less reliant on key employees to ensure effective operation. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-034 (other noncompliance / material weakness – repeat finding – 2022-041) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Eligibility CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance programs and ensure that individuals meet the various program requirements to receive benefits. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. During the pandemic, the State enhanced application processing by implementing new “cloud-based” technologies designed to handle significant applicant volume and to employ controls to validate applicant identity and prevent program fraud. In contrast, the legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2023, benefit payments exceeded $150 million. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines. Unemployment Insurance (UI) is funded by a tax on employers. UI is for individuals who earn wages from an employer who is required by law to pay the UI tax. UI work search requirements dictate that all unemployment insurance claimants are required to be actively seeking work. To receive UI benefits, eligibility requirements include: 1. Applicants to be unemployed through no fault of their own OR that their work hours MUST have been reduced. 2. All unemployment insurance claimants are required to actively seek work. 3. For non-exempt claimants, per U.S. DOL “Basic Registration” into EmployRI is required at the time the initial UI claim is filed and “Full Registration” occurs once the claimant is active in the system by completing a work search activity (e.g., posts a resume, completes a job search, etc.). 4. Per RI DLT Memorandum of UI Résumé Project (REF: 2019-UI-PROC-1517) “UI customers are required under Rule 1.18(F)(4) and (G) to post a résumé by the 6th week of benefit payments.” Collections on overpayments due to error, ineligibility, or fraud must be reported and credited to the appropriate source that funded the unemployment insurance benefits. Condition: While our testing found that unemployment insurance payments complied with most program eligibility requirements, noncompliance with certain requirements (specifically related to work search requirements) was noted. We tested a random sample of 60 individual benefit payments totaling $400,826 in fiscal 2023. In conjunction with our testing, the following exceptions were deemed to be in noncompliance with eligibility requirements that resulted in ineligible benefit payments (sample payments for ineligible individuals totaled $1,413): • 1 of 60 (2%) was not denied/sent to adjudication for ineligible termination of employment. Scanned documentation (form UI425) in the Onbase Imaging system from the employer stating claimant was discharged/fired from employment for violating company policy, however, AS400 states claimant’s reason of termination was for Lack of Work. • 1 of 60 (2%) recorded the claimant’s name incorrectly in multiple screens of the UI mainframe system (AS400), OnBase Imaging system, and the EmployRI system (Evidence of identity verification due to case record deficiencies was lacking). • 2 of 60 (4%) were not registered in the EmployRI system. • 5 of 60 (8%) did not have a résumé in the EmployRI system. Actual questioned costs during our audit period totaled $30,943 for these individuals. In addition, we identified the following deficiencies in work requirement documentation during our testing that we deemed to be documentation deficiencies with State UI requirements. However, these deficiencies were not deemed to represent ineligible benefit payments: • 31 of 60 (52%) had incomplete résumés in the EmployRI system. Each résumé had between 20%-60% completion rates and remained offline. • EmployRI system does not accurately record résumé modification dates in the system. The system changes the modification date upon viewing a résumé losing the audit trail of when it was last modified. Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to unemployment insurance benefit operations. Planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed. Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration). Effect: UI benefits paid to ineligible individuals that did not comply with program eligibility requirements. Questioned Costs: $30,943 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-034a Implement compensating controls to identify non-compliance with program requirements. 2023-034b Ensure that on-going considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-035 (material noncompliance / material weakness – repeat finding – 2022-042) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment was the result of the employer’s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Unemployment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1.) In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a department request for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: During fiscal 2023, DLT was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. The significant amount of fraud experienced during the pandemic coupled with the system not assessing the required penalties on these overpayments continued to result in material noncompliance with federal regulations during fiscal 2023. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization. Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-035 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)). Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-036 (material weakness – new finding) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employer Tax Unit Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – Employer Experience Rating CONTROLS OVER EMPLOYER EXPERIENCE RATING Controls over the processing of employer tax were insufficient to identify changes in tax rates and improper disbursement of refunds. Background: Certain benefits accrue to states and employers by having a federally approved experience-rated UI tax system. All states currently have an approved system. For the proper administration of the system, the DLT maintains accounts, or subsidiary ledgers, on State UI taxes received or due from individual employers, and the UI benefits charged to the employer. The employer’s “experience” with the unemployment of former employees is the dominant factor in the DLT computation of the employer’s annual State UI tax rate. The computation of the employer’s annual tax rate is based on State UI law (26 USC 3303). Experience rating systems are generally highly automated systems. DLT relies on its old mainframe system to determine experience ratings for employers. When employers appeal their employer tax rate, DLT will evaluate the appeal and, if required, evaluate and redetermine the experience rating for that employer. This process is highly dependent on manual processes and key personnel within the Employer Tax Unit. Criteria: Management is responsible for establishing and maintaining effective internal controls to collect and process employer taxes consistent with federal program guidelines including appropriate procedures to ensure employers pay the correct tax rate and tax payments are received timely. Condition: While our testing found that experience rates determined or adjusted by DLT during fiscal 2023 were proper, internal control procedures could be further enhanced to improve the documentation of tax rate changes and identification of errors that could result during current manual processes. Changes in the employer tax rate result in a refund or bill, and these changes are approved and updated by a single individual. Refund lists are manually reviewed and recalculated by another individual; however, refund thresholds reduce the amount of review performed and evidence of the review is not adequately documented. DLT’s manually intensive processes lack formalization, result in inadequate segregation of duties, and are prone to error. DLT’s mainframe system has reached end of life, is reliant on key employees for effective operation, and poses significant business continuity risks to unemployment insurance operations. Modernization of DLT’s system should prioritize enhancements to create proper segregation of duties and reduce manual processes to ensure accuracy of rate changes prior to disbursement of tax refunds. Cause: Control deficiencies exist over the determination of employer experience ratings that are utilized in UI employer tax rate calculations. DLT’s current mainframe requires manual processing of employer experience rating adjustments which are susceptible to error and lack documentation. The department is aware of the system limitations and has communicated concern over its lack of IT support to keep the system running in the future. Effect: Potential noncompliance if employer experience ratings are not determined in accordance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-036a Implement and document compensating controls to identify non-compliance with program requirements to prevent and detect changes in tax rates and improper disbursement of refunds. 2023-036b Ensure that the future modernization of UI technology ensures that adjustments to employer experience ratings are more automated, clearly documented, and less reliant on key employees to ensure effective operation. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-037 (other noncompliance / significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Allowable Costs/Cost Principles INSUFFICIENT DOCUMENTATION TO SUPPORT COSTS INCURRED FOR LEGAL SERVICES CHARGED TO THE EMERGENCY RENTAL ASSISTANCE PROGRAM Documentation and monitoring procedures were inadequate to support allowable legal services that were prepaid to a contractor on a quarterly basis. Background: The Pandemic Recovery Office (PRO) within Rhode Island Department of Administration executed a memorandum of understanding with the Rhode Island Department of Housing (formerly the Office of Housing and Community Development) to administer certain aspects of the Emergency Rental Assistance (ERA) Program. In fiscal 2023, a contract agreement was signed between the Department of Housing and a vendor to provide legal services for eviction defense to program participants. The vendor contract included an exhibit detailing the anticipated (budgeted) personnel and fringe costs, subcontract amounts, and other non-personnel related costs (computers, supplies, etc.) supporting the contract amount. Criteria: Uniform Guidance cost principles dictate that in order to be allowable under Federal awards, costs must be adequately documented (2 CFR §200.403(g)). Condition: The vendor providing legal services to program participants submitted invoices (reviewed as significant transactions during our audit period) to the Department of Housing on a quarterly basis. However, these invoices were submitted at the beginning of the quarterly period (e.g., invoice for the period of March 1, 2023 to May 31, 2023 was dated on March 9, 2023). The invoice amount equated to one fourth of the total contract amount. Since this program activity was structured as a vendor agreement and not a subaward, the Department of Housing should have obtained supporting documentation of time and effort performed by the vendor during the invoice period to validate the quarterly amount advanced to the vendor. The lack of supporting documentation for these program expenditures constituted a deficiency in internal control over compliance and noncompliance with Uniform Guidance requirements for adequate documentation. While the transaction amounts to this vendor were deemed significant, program disbursements made based on vendor contracts were infrequent. Most ERA disbursements were administered as subawards and our review of controls over subawards was found to be in place and operating effectively. Cause: Monitoring procedures were inadequate to ensure the contractor utilized the funds provided to support program objectives. Effect: Program funds could have been used by the contractor for unallowable activities and/or unallowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-037 Obtain documentation from the legal services contractor to ensure that quarterly time and effort complied with the underlying vendor contract. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-038 (significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) HOMEOWNER ASSISTANCE FUND – 21.026 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: HAF0142 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Numbers: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Reporting FEDERAL FINANCIAL AND PERFORMANCE REPORTING Controls were not adequate to ensure complete and accurate program reporting. Background: The Pandemic Recovery Office subgranted with the Rhode Island Housing and Mortgage Finance Corporation (RI Housing), a component unit of the State, to administer certain aspects of the Emergency Rental Assistance (ERA) and Homeowner Assistance Fund (HAF) programs. Certain required data elements, including a significant portion of program expenditures, are generated at RI Housing and reported back to the PRO for inclusion in the required program reporting. Criteria: The U.S. Treasury has prescribed financial and performance reporting requirements for pandemic recovery programs through electronic submission. Reporting requirements for ERA and HAF include certain key demographic information to showcase the use of funds to aid eligible program participants. State Fiscal Recovery Funds (SFRF) quarterly reports include detail on each project’s current period and cumulative obligations and expenditures, which should be adequately supported by accounting records. The annual performance report is required to be made publicly available and the report should detail each SFRF-funded project, identifying the funding amount, project expenditure category, and description of the project. Condition: The PRO does not have adequate procedures in place to ensure that required reports were complete and accurate. For the SFRF program, the State was required to complete quarterly reports that included both financial and program data and an annual performance report, which includes expenditure and program progress data for each project under the program. The quarterly reports include expenditure and subaward data for individual projects, as well as cumulative data. We selected two quarters and the annual report for testing and noted the following issues: • Instances where quarterly (i.e., June 2023) and cumulative expenditures per project did not agree to the State accounting system; and • The annual performance report did not include the project accounting for the PRO administrative expenditures. For the ERA and HAF programs, required reports include both financial data and performance indicators, principally demographic information of the program participants receiving benefits. As a significant portion of ERA and the majority of HAF are administered by a component unit of the State, this demographic information is forwarded to PRO for inclusion in the report, as are the agency’s supporting files. PRO reviews the files and forwards questions back as needed as part of their quality control process before the reports are completed and submitted. We noted the following issues: • Required demographic information for one selected quarter could not be verified as completed. PRO did not save a copy of the report at the time of submission, and due to an issue with the federal grantor agency’s system, a completed copy of the submitted report could not be retrieved for testing. • Underlying support for demographic information provided by the component unit agency did not adequately support the information reported. We noted instances in which the amounts reported did not agree to the data included in the report, or did not include all required elements. The review of reports performed by PRO staff did not identify these reporting deficiencies. • Expenditure and subaward amounts in ERA quarterly reports did not appear to be reported correctly. We noted several instances in both quarters tested where subaward amounts reported varied from the actual subaward agreements. Additionally, total current and cumulative expenditures reported did not agree to the total of expenditures detailed within the reports. Cause: Lack of adequate procedures for reconciling reported data to underlying support, including adequate oversight of information provided by the component unit agency. Effect: Reports may not be accurate or include all required information. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-038a Modify procedures for completing and documenting report data submitted to ensure that reports are properly reconciled to supporting documentation. 2023-038b Resubmit corrected reports, as needed. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-038 (significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) HOMEOWNER ASSISTANCE FUND – 21.026 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: HAF0142 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Numbers: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Reporting FEDERAL FINANCIAL AND PERFORMANCE REPORTING Controls were not adequate to ensure complete and accurate program reporting. Background: The Pandemic Recovery Office subgranted with the Rhode Island Housing and Mortgage Finance Corporation (RI Housing), a component unit of the State, to administer certain aspects of the Emergency Rental Assistance (ERA) and Homeowner Assistance Fund (HAF) programs. Certain required data elements, including a significant portion of program expenditures, are generated at RI Housing and reported back to the PRO for inclusion in the required program reporting. Criteria: The U.S. Treasury has prescribed financial and performance reporting requirements for pandemic recovery programs through electronic submission. Reporting requirements for ERA and HAF include certain key demographic information to showcase the use of funds to aid eligible program participants. State Fiscal Recovery Funds (SFRF) quarterly reports include detail on each project’s current period and cumulative obligations and expenditures, which should be adequately supported by accounting records. The annual performance report is required to be made publicly available and the report should detail each SFRF-funded project, identifying the funding amount, project expenditure category, and description of the project. Condition: The PRO does not have adequate procedures in place to ensure that required reports were complete and accurate. For the SFRF program, the State was required to complete quarterly reports that included both financial and program data and an annual performance report, which includes expenditure and program progress data for each project under the program. The quarterly reports include expenditure and subaward data for individual projects, as well as cumulative data. We selected two quarters and the annual report for testing and noted the following issues: • Instances where quarterly (i.e., June 2023) and cumulative expenditures per project did not agree to the State accounting system; and • The annual performance report did not include the project accounting for the PRO administrative expenditures. For the ERA and HAF programs, required reports include both financial data and performance indicators, principally demographic information of the program participants receiving benefits. As a significant portion of ERA and the majority of HAF are administered by a component unit of the State, this demographic information is forwarded to PRO for inclusion in the report, as are the agency’s supporting files. PRO reviews the files and forwards questions back as needed as part of their quality control process before the reports are completed and submitted. We noted the following issues: • Required demographic information for one selected quarter could not be verified as completed. PRO did not save a copy of the report at the time of submission, and due to an issue with the federal grantor agency’s system, a completed copy of the submitted report could not be retrieved for testing. • Underlying support for demographic information provided by the component unit agency did not adequately support the information reported. We noted instances in which the amounts reported did not agree to the data included in the report, or did not include all required elements. The review of reports performed by PRO staff did not identify these reporting deficiencies. • Expenditure and subaward amounts in ERA quarterly reports did not appear to be reported correctly. We noted several instances in both quarters tested where subaward amounts reported varied from the actual subaward agreements. Additionally, total current and cumulative expenditures reported did not agree to the total of expenditures detailed within the reports. Cause: Lack of adequate procedures for reconciling reported data to underlying support, including adequate oversight of information provided by the component unit agency. Effect: Reports may not be accurate or include all required information. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-038a Modify procedures for completing and documenting report data submitted to ensure that reports are properly reconciled to supporting documentation. 2023-038b Resubmit corrected reports, as needed. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-038 (significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) HOMEOWNER ASSISTANCE FUND – 21.026 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: HAF0142 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Numbers: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Reporting FEDERAL FINANCIAL AND PERFORMANCE REPORTING Controls were not adequate to ensure complete and accurate program reporting. Background: The Pandemic Recovery Office subgranted with the Rhode Island Housing and Mortgage Finance Corporation (RI Housing), a component unit of the State, to administer certain aspects of the Emergency Rental Assistance (ERA) and Homeowner Assistance Fund (HAF) programs. Certain required data elements, including a significant portion of program expenditures, are generated at RI Housing and reported back to the PRO for inclusion in the required program reporting. Criteria: The U.S. Treasury has prescribed financial and performance reporting requirements for pandemic recovery programs through electronic submission. Reporting requirements for ERA and HAF include certain key demographic information to showcase the use of funds to aid eligible program participants. State Fiscal Recovery Funds (SFRF) quarterly reports include detail on each project’s current period and cumulative obligations and expenditures, which should be adequately supported by accounting records. The annual performance report is required to be made publicly available and the report should detail each SFRF-funded project, identifying the funding amount, project expenditure category, and description of the project. Condition: The PRO does not have adequate procedures in place to ensure that required reports were complete and accurate. For the SFRF program, the State was required to complete quarterly reports that included both financial and program data and an annual performance report, which includes expenditure and program progress data for each project under the program. The quarterly reports include expenditure and subaward data for individual projects, as well as cumulative data. We selected two quarters and the annual report for testing and noted the following issues: • Instances where quarterly (i.e., June 2023) and cumulative expenditures per project did not agree to the State accounting system; and • The annual performance report did not include the project accounting for the PRO administrative expenditures. For the ERA and HAF programs, required reports include both financial data and performance indicators, principally demographic information of the program participants receiving benefits. As a significant portion of ERA and the majority of HAF are administered by a component unit of the State, this demographic information is forwarded to PRO for inclusion in the report, as are the agency’s supporting files. PRO reviews the files and forwards questions back as needed as part of their quality control process before the reports are completed and submitted. We noted the following issues: • Required demographic information for one selected quarter could not be verified as completed. PRO did not save a copy of the report at the time of submission, and due to an issue with the federal grantor agency’s system, a completed copy of the submitted report could not be retrieved for testing. • Underlying support for demographic information provided by the component unit agency did not adequately support the information reported. We noted instances in which the amounts reported did not agree to the data included in the report, or did not include all required elements. The review of reports performed by PRO staff did not identify these reporting deficiencies. • Expenditure and subaward amounts in ERA quarterly reports did not appear to be reported correctly. We noted several instances in both quarters tested where subaward amounts reported varied from the actual subaward agreements. Additionally, total current and cumulative expenditures reported did not agree to the total of expenditures detailed within the reports. Cause: Lack of adequate procedures for reconciling reported data to underlying support, including adequate oversight of information provided by the component unit agency. Effect: Reports may not be accurate or include all required information. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-038a Modify procedures for completing and documenting report data submitted to ensure that reports are properly reconciled to supporting documentation. 2023-038b Resubmit corrected reports, as needed. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-039 (other noncompliance / significant deficiency – new finding) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of The Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles TIME AND EFFORT REPORTING The Pandemic Recovery Office’s time and effort reporting for the State Fiscal Recovery Fund (SFRF) did not provide adequate detail to fully support certain personnel costs charged to the program. Background: PRO instituted time reporting worksheets for employees to allocate their time spent on SFRF-related activities during the week. On a weekly basis, the agency compares its “Master Timesheet” to each employee’s timesheet for the purpose of recording an adjusting journal entry. This entry is recorded to adjust payroll expenditures in accordance with actual time spent on program activities. Criteria: 2 CFR §200.430(i)(1) requires that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of payroll costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • During the examination of payroll allocations charged to the program, we identified that one employee’s payroll costs continued to be charged in full to SFRF for 5 pay periods subsequent to their departure from the PRO. PRO did not identify and adjust for this exception during fiscal 2023 (questioned costs - $34,533). • PRO maintains a Master Timesheet for all its employees and asserts that only individuals listed on the Master Timesheet are eligible to submit payroll charges against SFRF. We noted one employee charged to the program for whom, upon review of the employee time records, no work hours under the SFRF program were reported. While it was explained that this employee was partially dedicated to performing SFRF activities within the Division of Purchasing, no time sheet documentation was provided in support of SFRF activities (questioned costs - $13,132). • During the review of timesheets for PRO supervisory approval, it was noted that several employee timesheets received approval from their supervisors one, two, and in some instances, three days prior to the conclusion of the pay period. This observation raises concerns regarding the timeliness and accuracy of time reporting, potentially impacting the integrity of payroll processing and adherence to internal controls over timekeeping procedures. According to the PRO, this is due to the Department of Administration’s routine request for submission of timesheets prior to the end of the period. If PRO identifies an instance that requires an amendment to the original timesheet, an amended timesheet will be submitted subsequently. Cause: Insufficient controls over the claiming of personnel expenditures to ensure adequate controls are in place to ensure compliance with federal requirements (i.e., adequate documentation of time and effort). Effect: Personnel expenditures could be unallowable due to a lack of adequate support and/or inaccurate allocation of expenditures to the SFRF program. Questioned Costs: $47,655 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-039a Conduct regular reconciliation and monitoring of payroll charges to agency records to improve documentation and support for personnel costs charged to federal programs. 2023-039b Modify current policies relating to timesheet collection to ensure that supervisory reviews of time and effort reporting are accurate and complete. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-041 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: P268K232175 Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions RHODE ISLAND COLLEGE – RECONCILIATIONS OF THE DIRECT LOAN PROGRAM Criteria: The Code of Federal Regulations, 34 CFR §685.300(b)(5) requires the College on a monthly basis, to reconcile the institutional records with the Direct Loan funds received from the Secretary and the Direct Loan disbursement records submitted to and accepted by the Secretary. Condition: Direct loan reconciliations between the COD, G5 and student accounts were not being performed in a timely manner for the year. Context: Direct loan reconciliations were not all created timely during the year due to staffing issues that occurred during the year, therefore were not created on time. Cause: The College’s management had turnover in key positions during the year that increased the issues related to this issue of timely reconciliations. Effect: College is not complying with internal policy and federal requirements to ensure funds are properly reconciled in a timely manner. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-041 The College should ensure all necessary employees receive proper training, support, and time to follow the College's policies and federal requirements related to monthly reconciliations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-043 (other noncompliance / significant deficiency – repeat finding – 2022-055) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Special Tests and Provisions – Oversight and Monitoring Responsibilities with Respect to Charter Schools with Relationships with Charter Management Organizations SPECIAL TESTS AND PROVISIONS – OVERSIGHT AND MONITORING RESPONSIBILITIES WITH RESPECT TO CHARTER SCHOOLS WITH RELATIONSHIPS WITH CHARTER MANAGEMENT ORGANIZATIONS RIDE does not have any specific procedures to assess the risk posed by conflicts of interest, related party transactions, or insufficient segregation of duties between the Charter School and Charter Management Organization (CMO). Criteria: As grantees, State Education Agencies (SEAs) / Local Education Agencies (LEAs) are responsible for overseeing and monitoring subrecipients, including charter schools with relationships with Charter Management Organizations (CMOs). The SEA/LEA must: (1) evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining appropriate subrecipient monitoring (2 CFR §200.332(b)); and (2) monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR §200.332(d)). Additional requirements applicable to nonfederal entities receiving federal funds include: (1) the Code of Federal Regulations (CFR) requirements regarding conflicts of interest, (2) guidance regarding related-party transactions in generally accepted accounting principles, and (3) the GAO Green Book and COSO framework guidance regarding segregation of duties applicable to charter schools with relationships with CMOs. Condition: RIDE’s policies, procedures, and internal control for reviewing charter schools with relationships with Charter Management Organizations (CMOs) is the same for all LEAs. Those policies and procedures do not include any specific procedures to assess the risk posed by conflicts of interest, related party transactions, or insufficient segregation of duties between the Charter School and CMO. Cause: RIDE currently has two Charter Schools with a relationship with a CMO and they did not modify their policies, procedures, and internal controls to address the Federal requirements related to the relationship. Effect: RIDE is not in compliance with federal regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-043 Enhance the policies, procedures, and internal controls over monitoring LEAs, Charter Schools, and Charter Schools with relationships to CMOs to include assessing the risk posed by conflicts of interest, related-party transactions, or insufficient segregation of duties between the Charter School and CMO. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-045 (significant deficiency – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Eligibility ELIGIBILITY RIDE did not calculate the correct Career and Technical Education (CTE) allocation for Local Education Agencies (LEA). Criteria: Section 131(a) of Perkins V (20 USC 2351) requires the State Education Agency (SEA) to distribute funds to Local Education Agencies (LEA) in two tranches as follows: • The first tranche accounts for 30% of the grant award and is allocated based on the population of individuals aged 5 through 17 residing in the school district as a percentage of the total individuals aged 5 through 17 in all school districts. • The second tranche accounts for 70% of the grant award and is allocated based on the population of individuals aged 5 through 17 who are from families below the poverty level residing in the school district as a percentage of the total individuals aged 5 through 17 who are from families below the poverty level residing in all school districts. Condition: RIDE calculated the allocation of grant awards for the 30 percent tranche based on the methodology used for individuals whose families are below the poverty level as opposed to the population of the school district. This caused 29 LEAs to be allocated less than required by federal regulations and 11 LEAs being allocated more than allowed by federal regulation. This misallocation amounted to $318 thousand of the $6.7 million grant award. The incorrect allocation did not result in noncompliance since no LEA provider spent their entire allocation and RIDE was able to recalculate and allocate the correct amounts to each provider. Cause: The department used a spreadsheet to calculate the allocations to each school district. The spreadsheet did not include the allocation percentages for the 30% tranche (i.e., allocation of grant funding based on the school district population of individuals aged 5 through 17). Oversight was lacking to identify the allocation error in a timely manner. Effect: Noncompliance with federal rules and regulations relating to the allocation of grants to Local Education Agencies. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-045 Enhance internal controls over the allocation of CTE grants to LEAs to ensure the allocations are calculated in accordance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-046 (material noncompliance / material weakness – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2022 Federal Award Number: V048A210039 - 21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Eligibility ELIGIBILITY RIDE did not reallocate unspent Career and Technical Education (CTE) grants in accordance with Section 133(b) of Perkins V. Criteria: Section 133(b) of Perkins V (20 USC 2353) requires the State Education Agency (SEA) to reallocate unspent funds in the academic year based on Section 131(a) of Perkins V (20 USC 2351) which requires the State Education Agency (SEA) to distribute funds to Local Education Agencies (LEA) in two tranches as follows: • The first tranche accounts for 30% of the grant award and is allocated based on the population of individuals aged 5 through 17 residing in the school district as a percentage of the total individuals aged 5 through 17 in all school districts. • The second tranche accounts for 70% of the grant award and is allocated based on the population of individuals aged 5 through 17 who are from families below the poverty level residing in the school district as a percentage of the total individuals aged 5 through 17 who are from families below the poverty level residing in all school districts. Condition: The department’s reallocation of unspent fiscal year 2022 CTE grants ($2.7 million) during fiscal year 2023 was not performed in accordance with Section 133(b) of Perkins V. The department in essence allowed the LEAs to keep and spend the funds until the expiration of the 27-month obligation period. This caused 22 LEAs to be allocated less than required by federal regulations and 14 LEAs being allocated more than allowed by federal regulation. Cause: The CTE Board of Trustees implemented rules regarding unspent funds to rollover to the LEAs until the expiration of the 27-month obligation period which did not comply with federal rules and regulations. Effect: Noncompliance with federal rules and regulations causing an improper allocation of grants to Local Education Agencies. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-046a Amend the reallocation of unspent funds during the academic year in accordance with Section 131(a) of Perkins V. 2023-046b Enhance controls and revise policies over the allocation of CTE grants to LEAs, to ensure the reallocations are calculated in accordance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-047 (other noncompliance / material weakness – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Matching, Level of Effort, Earmarking LEVEL OF EFFORT – SUPPLEMENT NOT SUPPLANT RIDE did not ensure the Local Education Agencies (LEAs) supplemented and not supplanted federal funding for Career and Technical Education (CTE). Criteria: The State Education Agency (SEA) and its subrecipients may use funds for career and technical education activities that supplement, and not supplant, non-federal funds expended to carry out career and technical education activities (Section 211(a) of Perkins V (20 USC 2391(a))). Condition: RIDE does not have documentation supporting its efforts to ensure compliance with Supplement Not Supplant. Currently, the department reviews the LEAs federal budget information related to CTE through Accelegrants prior to the allocation of grants funds. This information does not include State or local funds being used for the program, which limits RIDE’s ability to ensure compliance with supplement not supplant. Cause: Absence of adequate policies, procedures, and documentation to ensure compliance with federal requirements. Effect: The LEA(s), and consequently the department, may not be in compliance with federal regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-047 Enhance internal controls over LEA supplement not supplant requirements by creating policies and procedures designed specifically for the CTE program. Additionally, ensure adequate documentation is maintained by the department to support such compliance. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-048 (other noncompliance / material weakness – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Subrecipient Monitoring STATE MONITORING OF ELIGIBLE RECIPIENTS RIDE did not conduct an annual evaluation of local adjusted levels of career and technical education activity performance for eligible recipients, nor did it implement improvement plans for subrecipients that failed to meet at least 90 percent of agreed upon local level of performance for any of the core indicators of performance. Criteria: Each state must evaluate annually, using the local adjusted levels of performance described in Section 113(b)(4) of Perkins V (20 USC 2323(b)(4)), the career and technical education activities of each eligible recipient receiving funds under Sections 131 and 132 of Perkins V (Section 123(b)(1) of Perkins V (20 USC 2343(b)(1))). The state determines whether a subrecipient failed to meet at least 90 percent of an agreed-upon local level of performance for any of the core indicators of performance described in Section 113(b)(4) of Perkins V for all CTE concentrators and, if so, requires the subrecipient to develop and implement the improvement plan required by Section 123(b)(2) of Perkins V (20 USC 2343(b)(2)). The state must require eligible subrecipients to include the levels of performance for each of the core indicators of performance in their local applications as required by Section 113(b)(4)(A)(ii) and disaggregated performance reporting as required by Section 113(b)(4)(B)(ii) of Perkins V. Condition: RIDE did not perform an evaluation of local level of performance for core indicators required by federal regulations. Cause: Absence of policies and procedures to ensure compliance with federal requirements. Effect: Noncompliance with federal rules and regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-048a Develop and promulgate policies and procedures for the evaluation of subrecipient performance and the development and implementation of subrecipient improvement plans in compliance with federal requirements. 2023-048b Ensure subrecipients include the levels of performance for each of the core indicators of performance in their local applications as required by Section 113(b)(4)(A)(ii) and disaggregated performance reporting as required by Section 113(b)(4)(B)(ii) of Perkins V. 2023-048c Enhance internal controls over subrecipient monitoring to ensure compliance with state monitoring of eligible recipients. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-033 (other noncompliance / significant deficiency – repeat finding – 2022-059) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019-2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles TIME AND EFFORT REPORTING RIDOH can enhance controls over time and effort reporting to ensure accurate allocations and reimbursements from federal programs. Background: RIDOH has built a robust, yet complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State’s payroll system and accounting system is performed on a quarterly basis. Amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time charged to various programs. Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(i)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. While RIDOH was able to provide timesheets for all selected pay periods, for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 6 of the 80 selected weekly timesheets lacked a supervisor signature. This was considered a control deficiency, but not noncompliance since the employee reported time and effort which supported allocation to the ELC program. • One individual noted in our ELC payroll sample (4 weekly time sheets) did not have their recorded payroll adjusted through the subsequent quarterly entry to accurately reflect work performed on federal programs. This resulted in payroll costs being overallocated to the ELC program (questioned costs - $3,355). • For both ELC and the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), we noted time and effort recorded to generalized timesheet category codes (i.e., Administrative Support, Finance and Operations, ICS – Incident Command System) lacked sufficient detail (i.e., underlying activity performed in support of related category code) to support its specific federal program allocation. Questioned costs could not be determined due to the lack of time and effort detail reported. Cause: Policies and procedures were ineffective to ensure amounts claimed and reimbursed by federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet detail prevented direct verification of recorded timesheet activities to the underlying charges on federal programs. Effect: Personnel costs reimbursed from federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: $3,355 (ELC – 93.323) Valid Statistical Sampling: Yes RECOMMENDATION 2023-033 Enhance weekly reporting of time and effort to improve documentation and support for personnel costs charged to federal programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-049 (other noncompliance / significant deficiency – repeat finding – 2022-038) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirement: Reporting FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for certain programs audited during fiscal 2023. In our testing of compliance with FFATA, we noted the following exceptions: [See Schedule of Findings and Questioned Costs for table.] While the State has conducted training for the various departments and agencies, procedures at the department level to ensure FFATA reporting requirements are met have not been implemented. Cause: Controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: RIDOH did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2023-049 Establish policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-033 (other noncompliance / significant deficiency – repeat finding – 2022-059) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019-2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles TIME AND EFFORT REPORTING RIDOH can enhance controls over time and effort reporting to ensure accurate allocations and reimbursements from federal programs. Background: RIDOH has built a robust, yet complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State’s payroll system and accounting system is performed on a quarterly basis. Amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time charged to various programs. Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(i)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. While RIDOH was able to provide timesheets for all selected pay periods, for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 6 of the 80 selected weekly timesheets lacked a supervisor signature. This was considered a control deficiency, but not noncompliance since the employee reported time and effort which supported allocation to the ELC program. • One individual noted in our ELC payroll sample (4 weekly time sheets) did not have their recorded payroll adjusted through the subsequent quarterly entry to accurately reflect work performed on federal programs. This resulted in payroll costs being overallocated to the ELC program (questioned costs - $3,355). • For both ELC and the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), we noted time and effort recorded to generalized timesheet category codes (i.e., Administrative Support, Finance and Operations, ICS – Incident Command System) lacked sufficient detail (i.e., underlying activity performed in support of related category code) to support its specific federal program allocation. Questioned costs could not be determined due to the lack of time and effort detail reported. Cause: Policies and procedures were ineffective to ensure amounts claimed and reimbursed by federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet detail prevented direct verification of recorded timesheet activities to the underlying charges on federal programs. Effect: Personnel costs reimbursed from federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: $3,355 (ELC – 93.323) Valid Statistical Sampling: Yes RECOMMENDATION 2023-033 Enhance weekly reporting of time and effort to improve documentation and support for personnel costs charged to federal programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-049 (other noncompliance / significant deficiency – repeat finding – 2022-038) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirement: Reporting FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for certain programs audited during fiscal 2023. In our testing of compliance with FFATA, we noted the following exceptions: [See Schedule of Findings and Questioned Costs for table.] While the State has conducted training for the various departments and agencies, procedures at the department level to ensure FFATA reporting requirements are met have not been implemented. Cause: Controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: RIDOH did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2023-049 Establish policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-050 (significant deficiency– repeat finding – 2022-052) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FUNDING SOURCES OR FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one funding source or award under federal programs with similar pandemic response related objectives. Reconciliation of accounting records to align program revenues with federal revenues received were not fully completed at fiscal year-end. Background: The State has received an unprecedented amount of federal assistance to respond to the effects of the global health pandemic. Included in this assistance were funds received from the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, among others. Certain costs were eligible for reimbursement under multiple programs and funding sources. Expenditures were often applied to one funding source and then subsequently adjusted to another funding source as federal guidelines changed and the end of the period of availability drew near for multiple awards. Due to the length of the pandemic, adjustments of program expenditures between federal programs or other funding sources overlapped fiscal years at times. Criteria: Expenditures may only be reimbursed from one funding source or federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were sometimes charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity, however, the original transaction (expenditure/disbursement) remains in the account originally charged, offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2023, we noted the following adjustments to financial activity supporting the cited control deficiency: • Approximately $1.0 million in expenditures were adjusted from ELC to FEMA, and another $1.8 million from restricted funding sources to ELC. • Approximately $2.1 million was adjusted from various federal programs and non-federal accounts to FEMA’s Disaster Grants program and another $6.6 million from FEMA’s Disaster Grants program to various federal programs and other non-federal expenditure accounts. The State implemented a reconciliation process to account for, and adjust as necessary, federal program activity to align accounting records with actual final funding sources of the activities. Journal entries were processed in fiscal 2023 to adjust expenditures between federal and non-federal funding sources for prior and current year activity. While there was a significant decrease in the magnitude of the adjustments compared to prior years, reconciliations for all State agencies and departments were not fully completed at June 30, 2023. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one funding source or federal award. Effect: Potential duplicate reimbursement of expenditures from more than one funding source or federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-050a Ensure reconciliations and any required adjustments are complete to demonstrate that eligible pandemic-related program costs were not reimbursed from more than one funding source. 2023-050b Determine whether any program costs were reimbursed by multiple fundings sources. Return any related funds to the appropriate federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-051 (other noncompliance / material weakness – repeat finding – 2022-061) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY FOR THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically relating to applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2023. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client-attested data through multiple electronic interfaces. Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. 45 CFR §205.60(a) requires “the State agency will maintain or supervise the maintenance of records necessary for the proper and efficient operation of the plan, including records regarding applications, determination of eligibility, the provision of financial assistance, and the use of any information obtained under §205.55, with respect to individual applications denied, recipients whose benefits have been terminated, recipients whose benefits have been modified, and the dollar value of these denials, terminations and modifications. Under this requirement, the agency will keep individual records which contain pertinent facts about each applicant and recipient. The records will include information concerning the date of application and the date and basis of its disposition; facts essential to the determination of initial and continuing eligibility (including the individual's social security number, need for, and provision of financial assistance); and the basis for discontinuing assistance.” The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file. Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State Plan, acceptable documentation for proof of residency includes rental receipt, lease agreement, utility bills, medical bills, bank statements, payroll statement, mortgage statement, car registration, city or town tax statement, and/or school records. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. Evaluations of exceptions relating to case documentation deficiencies, questioned costs, and consideration of noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] Exceptions resulting in eligibility being unsupported by case record (8 Exceptions – 11.7% error rate): • None of the required documentation supporting household residency was included in the case record for 7 sample households. • Signed recertification documents not scanned to the system (4 instances). For 3 of the cases without a completed recertification, the case file notes mention their completion. In 1 instance there was no documentation or case note (this case was included in reported questioned costs) supporting recertification. Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility): • Identification documents for all household members or other supporting case documents not scanned to the system (21 instances). Documentation deficiencies for critical eligibility requirements were noted in 11.7% of the cases we tested in fiscal 2023. While applicant attested information, in most cases, supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility. While our projection of test results did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance resulted from documentation deficiencies. Cause: Lack of supporting documentation included in the TANF case record and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant. Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program. Questioned Costs: $42,153 Valid Statistical Sampling: Yes RECOMMENDATION 2023-051 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-052 (other noncompliance / significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Activities Allowed or Unallowed CONTROLS OVER TRANSFERS TO THE SOCIAL SERVICE BLOCK GRANT (SSBG) DHS transferred an amount to the SSBG program that exceeded the federally allowed 10 percent of the TANF award for fiscal 2023. Criteria: The TANF block grant law provides that states may transfer up to 10 percent of their TANF grant to the SSBG (Title XX) program. Condition: As of June 30, 2023, DHS had been awarded $70,339,314 for FFY 2023. The amount recorded in the state’s accounting system in the two accounts assigned to transfers was $7,213,005, which exceeded the 10% limit by $179,074. Cause: Failure to monitor the amount transferred to SSBG to ensure compliance with federal regulations. Effect: Noncompliance with the SSBG transfer limit at June 30, 2023. Questioned Costs: $179,074 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-052 Monitor compliance with the federal 10% transfer limit prior to each transfer to the SSBG program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-051 (other noncompliance / material weakness – repeat finding – 2022-061) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY FOR THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically relating to applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2023. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client-attested data through multiple electronic interfaces. Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. 45 CFR §205.60(a) requires “the State agency will maintain or supervise the maintenance of records necessary for the proper and efficient operation of the plan, including records regarding applications, determination of eligibility, the provision of financial assistance, and the use of any information obtained under §205.55, with respect to individual applications denied, recipients whose benefits have been terminated, recipients whose benefits have been modified, and the dollar value of these denials, terminations and modifications. Under this requirement, the agency will keep individual records which contain pertinent facts about each applicant and recipient. The records will include information concerning the date of application and the date and basis of its disposition; facts essential to the determination of initial and continuing eligibility (including the individual's social security number, need for, and provision of financial assistance); and the basis for discontinuing assistance.” The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file. Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State Plan, acceptable documentation for proof of residency includes rental receipt, lease agreement, utility bills, medical bills, bank statements, payroll statement, mortgage statement, car registration, city or town tax statement, and/or school records. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. Evaluations of exceptions relating to case documentation deficiencies, questioned costs, and consideration of noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] Exceptions resulting in eligibility being unsupported by case record (8 Exceptions – 11.7% error rate): • None of the required documentation supporting household residency was included in the case record for 7 sample households. • Signed recertification documents not scanned to the system (4 instances). For 3 of the cases without a completed recertification, the case file notes mention their completion. In 1 instance there was no documentation or case note (this case was included in reported questioned costs) supporting recertification. Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility): • Identification documents for all household members or other supporting case documents not scanned to the system (21 instances). Documentation deficiencies for critical eligibility requirements were noted in 11.7% of the cases we tested in fiscal 2023. While applicant attested information, in most cases, supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility. While our projection of test results did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance resulted from documentation deficiencies. Cause: Lack of supporting documentation included in the TANF case record and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant. Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program. Questioned Costs: $42,153 Valid Statistical Sampling: Yes RECOMMENDATION 2023-051 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-052 (other noncompliance / significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Activities Allowed or Unallowed CONTROLS OVER TRANSFERS TO THE SOCIAL SERVICE BLOCK GRANT (SSBG) DHS transferred an amount to the SSBG program that exceeded the federally allowed 10 percent of the TANF award for fiscal 2023. Criteria: The TANF block grant law provides that states may transfer up to 10 percent of their TANF grant to the SSBG (Title XX) program. Condition: As of June 30, 2023, DHS had been awarded $70,339,314 for FFY 2023. The amount recorded in the state’s accounting system in the two accounts assigned to transfers was $7,213,005, which exceeded the 10% limit by $179,074. Cause: Failure to monitor the amount transferred to SSBG to ensure compliance with federal regulations. Effect: Noncompliance with the SSBG transfer limit at June 30, 2023. Questioned Costs: $179,074 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-052 Monitor compliance with the federal 10% transfer limit prior to each transfer to the SSBG program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-055 (significant deficiency – new finding) LOW-INCOME HOME ENERGY ASSISTANCE – 93.568 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2201RILIEA and 2301RILIEA Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility EVALUATION OF CONTROLS OVER FUNCTIONS PERFORMED BY EXTERNAL SYSTEM See related Financial Statement Finding 2023-002. DHS can improve its consideration of controls over functions performed by the Hancock System by obtaining proper Service Organization Control (SOC) reports provided by the outside vendor. These are necessary and consistent with management’s responsibility for the overall adequacy of the design and operation of internal control. Background: The Low-Income Home Energy Assistance Program’s (LIHEAP) Hancock application is a cloud-based system that enables state offices to administer income eligible heating and energy assistance programs. The application is maintained by a vendor and is utilized both at the State level and within community action agencies. Criteria: Management has the responsibility to ensure the adequacy of the design and operation of key controls over the operation of the program to ensure compliance with LIHEAP regulations. A Service Organization Control (SOC) report provided by the vendor is one means, in part, of meeting management’s responsibility. Alternatively, monitoring and assessment procedures should be performed by DHS with assistance from the State’s Enterprise Technology Strategy and Services (ETSS). Per ETSS Policy 10-20: Passwords will have a minimum of eight (8) characters in length for standard user accounts and a minimum of fourteen (14) characters in length for privileged user accounts and passwords will not be identical to any of the previous twenty-four (24) passwords. Per ETSS Policy 10-10: The agency will disable non-privileged accounts after 90 days of inactivity and privileged accounts after 60 days of inactivity. Condition: DHS has not performed assessments of the accuracy and reliability of the system in determining eligibility and related benefits or considered information technology risks for the application. The system is integral to the operation of the program and to maintain compliance with federal program requirements. The vendor provides a SOC 2 Type 2 report, however, a review of this report and consideration of exceptions and recommended complementary user entity controls was not completed by the department. Additionally, Hancock LIHEAP system user passwords are only required to have a length of 6 characters and are allowed to repeat after 3 changes, which is not in compliance with the State's Enterprise Password Policy. The agency also has not performed user access reviews nor disabled accounts with more than 90 days of inactivity in accordance with the State’s Enterprise Access Policy. Cause: DHS has not performed sufficient monitoring of operating effectiveness and information technology risk assessment for the Hancock LIHEAP application. The agency has not completed a review of the SOC 2 Type 2 report or considered the exceptions and recommended complementary user entity controls presented in it. The password requirements and account management, specifically users who have not accessed the system in 90 days, do not comply with the State’s policies and procedures. Effect: Inattention to maintaining proper user access controls could result in unauthorized access to the system and potential fraud and noncompliance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-055a Ensure that service organization controls (SOC) reports are reviewed timely, and that proper documentation and review of the complementary user entity controls were performed using the existing Accounts and Control review form. 2023-055b Adhere to the State’s ETSS Policy and require password length to be 8 characters for standard users and 14 characters for privileged user accounts. Adhere to the State’s ETSS Policy and do not allow passwords to be identical to any of the previous 24 passwords. 2023-055c Perform periodic reviews of users and disable access to non-privileged accounts after 90 days and privileged accounts after 60 days. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-055 (significant deficiency – new finding) LOW-INCOME HOME ENERGY ASSISTANCE – 93.568 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2201RILIEA and 2301RILIEA Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility EVALUATION OF CONTROLS OVER FUNCTIONS PERFORMED BY EXTERNAL SYSTEM See related Financial Statement Finding 2023-002. DHS can improve its consideration of controls over functions performed by the Hancock System by obtaining proper Service Organization Control (SOC) reports provided by the outside vendor. These are necessary and consistent with management’s responsibility for the overall adequacy of the design and operation of internal control. Background: The Low-Income Home Energy Assistance Program’s (LIHEAP) Hancock application is a cloud-based system that enables state offices to administer income eligible heating and energy assistance programs. The application is maintained by a vendor and is utilized both at the State level and within community action agencies. Criteria: Management has the responsibility to ensure the adequacy of the design and operation of key controls over the operation of the program to ensure compliance with LIHEAP regulations. A Service Organization Control (SOC) report provided by the vendor is one means, in part, of meeting management’s responsibility. Alternatively, monitoring and assessment procedures should be performed by DHS with assistance from the State’s Enterprise Technology Strategy and Services (ETSS). Per ETSS Policy 10-20: Passwords will have a minimum of eight (8) characters in length for standard user accounts and a minimum of fourteen (14) characters in length for privileged user accounts and passwords will not be identical to any of the previous twenty-four (24) passwords. Per ETSS Policy 10-10: The agency will disable non-privileged accounts after 90 days of inactivity and privileged accounts after 60 days of inactivity. Condition: DHS has not performed assessments of the accuracy and reliability of the system in determining eligibility and related benefits or considered information technology risks for the application. The system is integral to the operation of the program and to maintain compliance with federal program requirements. The vendor provides a SOC 2 Type 2 report, however, a review of this report and consideration of exceptions and recommended complementary user entity controls was not completed by the department. Additionally, Hancock LIHEAP system user passwords are only required to have a length of 6 characters and are allowed to repeat after 3 changes, which is not in compliance with the State's Enterprise Password Policy. The agency also has not performed user access reviews nor disabled accounts with more than 90 days of inactivity in accordance with the State’s Enterprise Access Policy. Cause: DHS has not performed sufficient monitoring of operating effectiveness and information technology risk assessment for the Hancock LIHEAP application. The agency has not completed a review of the SOC 2 Type 2 report or considered the exceptions and recommended complementary user entity controls presented in it. The password requirements and account management, specifically users who have not accessed the system in 90 days, do not comply with the State’s policies and procedures. Effect: Inattention to maintaining proper user access controls could result in unauthorized access to the system and potential fraud and noncompliance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-055a Ensure that service organization controls (SOC) reports are reviewed timely, and that proper documentation and review of the complementary user entity controls were performed using the existing Accounts and Control review form. 2023-055b Adhere to the State’s ETSS Policy and require password length to be 8 characters for standard users and 14 characters for privileged user accounts. Adhere to the State’s ETSS Policy and do not allow passwords to be identical to any of the previous 24 passwords. 2023-055c Perform periodic reviews of users and disable access to non-privileged accounts after 90 days and privileged accounts after 60 days. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-056 (other noncompliance / material weakness – repeat finding – 2022-062) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER CHILD CARE ELIGIBILITY Controls over Child Care program eligibility, specifically relating to ensuring that required documentation is included in case records in support of eligibility determinations needs improvement. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the Child Care program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)). Condition: Documentation supporting Child Care program eligibility was not found in 3 of 40 sample cases reviewed, resulting in a 7.5% error rate. While this error rate did not represent material noncompliance with Child Care eligibility requirements, it did represent a material weakness in internal controls resulting in significant program noncompliance. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Improved controls including systemic controls that require validation of critical documentation requirements, monitoring to ensure that cases are recertified annually, and worker training or quality control aids should be considered. Cause: RIBridges does not prevent a case from being approved for eligibility when required documentation is omitted. Failure to document critical eligibility requirements (i.e., income validation, annual recertification) resulted in noncompliance due to unsupported eligibility. Effect: Noncompliance with Child Care program eligibility requirements. Questioned Costs: $14,904 Valid Statistical Sampling: Yes RECOMMENDATION 2023-056 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-056 (other noncompliance / material weakness – repeat finding – 2022-062) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER CHILD CARE ELIGIBILITY Controls over Child Care program eligibility, specifically relating to ensuring that required documentation is included in case records in support of eligibility determinations needs improvement. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the Child Care program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)). Condition: Documentation supporting Child Care program eligibility was not found in 3 of 40 sample cases reviewed, resulting in a 7.5% error rate. While this error rate did not represent material noncompliance with Child Care eligibility requirements, it did represent a material weakness in internal controls resulting in significant program noncompliance. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Improved controls including systemic controls that require validation of critical documentation requirements, monitoring to ensure that cases are recertified annually, and worker training or quality control aids should be considered. Cause: RIBridges does not prevent a case from being approved for eligibility when required documentation is omitted. Failure to document critical eligibility requirements (i.e., income validation, annual recertification) resulted in noncompliance due to unsupported eligibility. Effect: Noncompliance with Child Care program eligibility requirements. Questioned Costs: $14,904 Valid Statistical Sampling: Yes RECOMMENDATION 2023-056 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-056 (other noncompliance / material weakness – repeat finding – 2022-062) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER CHILD CARE ELIGIBILITY Controls over Child Care program eligibility, specifically relating to ensuring that required documentation is included in case records in support of eligibility determinations needs improvement. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the Child Care program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)). Condition: Documentation supporting Child Care program eligibility was not found in 3 of 40 sample cases reviewed, resulting in a 7.5% error rate. While this error rate did not represent material noncompliance with Child Care eligibility requirements, it did represent a material weakness in internal controls resulting in significant program noncompliance. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Improved controls including systemic controls that require validation of critical documentation requirements, monitoring to ensure that cases are recertified annually, and worker training or quality control aids should be considered. Cause: RIBridges does not prevent a case from being approved for eligibility when required documentation is omitted. Failure to document critical eligibility requirements (i.e., income validation, annual recertification) resulted in noncompliance due to unsupported eligibility. Effect: Noncompliance with Child Care program eligibility requirements. Questioned Costs: $14,904 Valid Statistical Sampling: Yes RECOMMENDATION 2023-056 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-057 (other noncompliance / material weakness – repeat finding – 2022-064) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP) Operational and system deficiencies, including eligibility processing modifications implemented due to PHE regulations and policy modifications, resulted in noncompliance with federal regulations relating to CHIP eligibility. Background: Medical benefit expenditures claimed to CHIP totaled $152.3 million in fiscal 2023. Most benefit expenditures represented managed care capitation payments. Certain modifications to program eligibility requirements remained in place as the public health emergency (PHE) declaration remained in effect for most of fiscal 2023. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the PHE limitations described above, were largely unchanged during fiscal 2023. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $2.7 million) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2023, we tested a sample of 60 CHIP eligible members (capitation payments totaling $148,500, federal share - $106,920, for the members tested) for compliance with program eligibility requirements. Total capitation claimed to CHIP totaled $118.2 million (federal share - $85.1 million) during fiscal 2023. Our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP: • Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking in 3 out of 60 cases. Our review of SWICA data provided by the RI Department of Labor and Training noted income which would have determined 2 of the 3 cases ineligible had it reported properly in RIBridges. These exceptions are being classified as income documentation deficiencies in these cases only (not questioned or considered noncompliance) as PHE restrictions would have allowed these cases to remain eligible in fiscal 2023 regardless of the excess income determination. • A member voluntarily withdrew from the CHIP program but was not disenrolled from the program in 1 out of 60 cases (questioned costs - $710). In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent, found 643 members charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2023 for those members totaled $1,326,407 (questioned costs - $955,013). During fiscal 2023, the State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, it was not possible to evaluate the effectiveness of this system functionality since changes in eligibility during the PHE, in many instances, were not being communicated to the MMIS. Program controls to ensure that CHIP children are aged out of CHIP do not ensure that CHIP claiming meets federal requirements. An analysis of children charged to CHIP during fiscal 2023 age 19 or older noted 3,070 individuals with benefits claimed to CHIP. While most of these individuals likely remained eligible for CHIP under PHE restrictions that required states to maintain eligibility during the PHE period, our analysis identified 37 individuals that turned 19 before the start of the PHE and no longer qualified for CHIP claiming. Capitation paid during fiscal 2023 for these 37 individuals totaled $124,855 (questioned costs - $89,896). In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule, which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were found to be ineffective. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. Lastly, we identified instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with CHIP aid categories during periods within fiscal 2023. Our analysis found that the coding error likely impacted 177 cases within CHIP during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage) or insufficient documentation supporting eligibility within the case record (i.e., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $1,045,619 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-057a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration) which weaken controls and result in noncompliance with federal regulations regarding CHIP eligibility. 2023-057b Identify ineligible CHIP costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-057 (other noncompliance / material weakness – repeat finding – 2022-064) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP) Operational and system deficiencies, including eligibility processing modifications implemented due to PHE regulations and policy modifications, resulted in noncompliance with federal regulations relating to CHIP eligibility. Background: Medical benefit expenditures claimed to CHIP totaled $152.3 million in fiscal 2023. Most benefit expenditures represented managed care capitation payments. Certain modifications to program eligibility requirements remained in place as the public health emergency (PHE) declaration remained in effect for most of fiscal 2023. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the PHE limitations described above, were largely unchanged during fiscal 2023. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $2.7 million) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2023, we tested a sample of 60 CHIP eligible members (capitation payments totaling $148,500, federal share - $106,920, for the members tested) for compliance with program eligibility requirements. Total capitation claimed to CHIP totaled $118.2 million (federal share - $85.1 million) during fiscal 2023. Our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP: • Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking in 3 out of 60 cases. Our review of SWICA data provided by the RI Department of Labor and Training noted income which would have determined 2 of the 3 cases ineligible had it reported properly in RIBridges. These exceptions are being classified as income documentation deficiencies in these cases only (not questioned or considered noncompliance) as PHE restrictions would have allowed these cases to remain eligible in fiscal 2023 regardless of the excess income determination. • A member voluntarily withdrew from the CHIP program but was not disenrolled from the program in 1 out of 60 cases (questioned costs - $710). In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent, found 643 members charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2023 for those members totaled $1,326,407 (questioned costs - $955,013). During fiscal 2023, the State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, it was not possible to evaluate the effectiveness of this system functionality since changes in eligibility during the PHE, in many instances, were not being communicated to the MMIS. Program controls to ensure that CHIP children are aged out of CHIP do not ensure that CHIP claiming meets federal requirements. An analysis of children charged to CHIP during fiscal 2023 age 19 or older noted 3,070 individuals with benefits claimed to CHIP. While most of these individuals likely remained eligible for CHIP under PHE restrictions that required states to maintain eligibility during the PHE period, our analysis identified 37 individuals that turned 19 before the start of the PHE and no longer qualified for CHIP claiming. Capitation paid during fiscal 2023 for these 37 individuals totaled $124,855 (questioned costs - $89,896). In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule, which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were found to be ineffective. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. Lastly, we identified instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with CHIP aid categories during periods within fiscal 2023. Our analysis found that the coding error likely impacted 177 cases within CHIP during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage) or insufficient documentation supporting eligibility within the case record (i.e., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $1,045,619 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-057a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration) which weaken controls and result in noncompliance with federal regulations regarding CHIP eligibility. 2023-057b Identify ineligible CHIP costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-064 (other noncompliance / material weakness – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER MEDICAID ELIGIBILITY Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Background: RIBridges, the State’s computer system used to manage multiple federally funded human service programs, determines eligibility for Medicaid. The COVID-19 public health emergency (PHE), which continued until May 2023, restricted States from modifying recipient eligibility during the PHE, except for certain circumstances (i.e., death, relocation out of State, voluntary member withdrawal). Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver). 42 CFR sections 435.940 through 435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan. 42 CFR §435.916 requires the periodic renewal of recipient Medicaid eligibility. The 12-month renewal period mandated for MAGI-eligible recipients pertains to the majority of Medicaid and CHIP recipients in Rhode Island. Condition: For fiscal 2023, we tested a sample of 60 Medicaid eligible members (capitation payments totaling $240,129, federal share - $172,893, for the members tested) claimed for compliance with program eligibility. Total capitation payments claimed to Medicaid totaled $1.8 billion (federal share - $1.3 billion) during fiscal 2023. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically: • Inconsistencies with the operation of the State Wage Information Collection Agency (SWICA) interface were noted in 2 out of 60 cases (questioned costs - $2,007). Eligibility determinations in these cases were post-PHE and actual reported SWICA income would have made the members ineligible for Medicaid. • A member was determined ineligible in RIBridges beginning 11/1/2019 (pre-PHE) but has remained continuously eligible on Medicaid (questioned costs - $5,443). • Documentation supporting income (e.g., electronic SWICA validation or applicant submitted documentation (i.e., paystubs)) was lacking in 4 out of 60 cases. Since we were able to perform alternative procedures to validate reported income to SWICA data provided by the Department of Labor and Training, these cases were not deemed to be noncompliance as reported household income would have made these members eligible for Medicaid. As noted above, eligibility was determined to be incorrect or unsupported in 3 of 60 sample members tested (5% error rate). Total questioned costs identified during our testing were $7,450. In addition to noncompliance reported above, the State continued to claim Medicaid Expansion enhanced reimbursement (90% FMAP (Federal Medical Assistance Percentage)) for certain members older than 65 during fiscal 2023. While PHE requirements allowed members to remain eligible on Medicaid, states needed to redetermine eligibility for these members upon reaching age 65 to see if they were eligible for a different Medicaid eligibility category. In conjunction with our Medicaid eligibility testing, we tested a random sample of 23 Medicaid Expansion members over the age of 65 for redetermination by the State. Our testing found that 11 out of the 23 members tested turned age 65 prior to the PHE period beginning in March 2020, thus enhanced federal reimbursement should have ended upon turning age 65 (questioned costs - $79,946). Since redetermination was not performed, we could not determine if the individual would have remained qualified for Medicaid. Our analysis identified 158 members based on date of birth that should have aged out of Medicaid expansion prior to the start of the PHE. During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2023 to determine the State’s timeliness of terminating eligibility for deceased members. The “Do Not Pay” service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 3,298 deceased members still active on Medicaid at June 30, 2023. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2023 subsequent to the month of death is summarized as follows: [See Schedule of Findings and Questioned Costs for table.] Controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length that payments are continuing is significant and could span managed care contract settlement periods. Under federal regulations, capitation payments for deceased members would be considered an ineligible payment of federal funds. While we noted instances where RI Medicaid was recouping capitation once death was recorded in the MMIS for certain cases, the length of time that managed care capitation was continuing is indicative that system controls were not effective in terminating coverage in a timely manner. A detailed review of some of these cases noted that RIBridges was aware of the date of death, but eligibility was still active or pending closure. In many cases, the date of death reporting was not communicating to the MMIS resulting in continued capitation payments. The amounts included above had active eligibility at June 30, 2023 and capitation had not been recouped during fiscal 2023. Of the 3,298 members identified as deceased, 521 had reported dates of death older than two years. Based on our June 30, 2023 evaluation, estimated questioned costs for capitation payments made for deceased individuals totaled $5,125,758, pending recoupment of capitation payments to managed care organizations and the transportation provider. In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were ineffective. The amount of capitation paid for Medicaid members no longer residing in the State was not determinable for our audit period. Lastly, we identified some instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with Medicaid aid categories during certain periods within fiscal 2023. Our analysis found that the coding error likely impacted 373 cases within Medicaid during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid. Questioned Costs: $5,213,154 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-064a Address and correct the RIBridges system deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, Death reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility. 2023-064b Enhance controls over the identification of deceased members and members that have relocated out-of-State to minimize ineligible benefit payments within the Medicaid program. 2023-064c Identify ineligible Medicaid costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-065 (other noncompliance / significant deficiency – repeat finding – 2022-073) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles SERVICES PROVIDED TO CHILDREN IN THE STATE’S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State’s custody were not charged to Medicaid in fiscal 2023 in accordance with the methodology approved in the State Plan. Controls over other services provided to children in the State’s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and identifies requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology was approved by the Centers for Medicare and Medicaid Services (CMS) in fiscal 2023. Criteria: Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. The Medicaid State Plan stipulates a cost reimbursement methodology for establishment of reimbursement rates for PRTF service providers. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State’s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change, in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception of PRTF services based on the new methodology (determined through provider budget submission). CMS approved a State Plan amendment for a cost reimbursement methodology during fiscal 2023. PRTF services during fiscal 2023 continued to be reimbursed through an unapproved methodology. DCYF was reimbursed approximately $5.4 million for PRTF services provided to children in the State’s custody during fiscal 2023. During our audit, we also noted that approximately $20 million in other services to children in the State’s custody (referred to as manual billings by DCYF) are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims directly to the MMIS for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2023 were not based on the specific cost reimbursement methodology approved in the State plan. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-065a Reprocess claims for PRTF services to ensure that the provider is reimbursed based on the allowable cost reimbursement methodology and return any ineligible amounts to the federal grantor. 2023-065b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-066 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER STATE HOSPITAL CLAIMING Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort. Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim. Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined. Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort. Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare). Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-067 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES Special education services monitoring needs more oversight to ensure that required corrective actions and certifications are obtained from local education agencies. Criteria: The State has established policies and procedures relating to its oversight of special education services claiming by local education agencies (LEAs). These policies and procedures are detailed in EOHHS’s Direct and Administrative Services Guidebooks for LEAs. The guidebooks, among several requirements, mandates a) the submission of a quality assurance Medicaid Action Plan (LEA policies and procedures to ensure claiming meets federal requirements) and b) the quarterly submission of the Certification of Funds letters in accordance with the EOHHS/LEA Interagency Provider Agreement which attests to the provision of State match requirements by the local education agencies. Condition: Our review of EOHHS’ monitoring of LEA special education services billed to Medicaid identified the following: • 1 LEA in our sample of 4 providers (out of 42 providers) had not submitted the required Medicaid Action Plan until requested during our audit, and • EOHHS could not provide documentation of quarterly Certification of Funds letters submitted from all 4 providers sampled. While our testing found that EOHHS’ monitoring was substantially being performed during fiscal 2023, documentation of certain compliance areas was lacking. Since other monitoring procedures were found to be in place for the providers reviewed, we did not consider claiming reimbursed to these providers to represent noncompliance with federal regulations. Cause: Monitoring special education services was impacted by staff turnover during fiscal 2023 and oversight by EOHHS did not detect the noncompliance with departmental policies and procedures. Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-067 Enhance oversight of special education services by LEAs to ensure compliance with adopted policies and procedures. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-064 (other noncompliance / material weakness – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER MEDICAID ELIGIBILITY Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Background: RIBridges, the State’s computer system used to manage multiple federally funded human service programs, determines eligibility for Medicaid. The COVID-19 public health emergency (PHE), which continued until May 2023, restricted States from modifying recipient eligibility during the PHE, except for certain circumstances (i.e., death, relocation out of State, voluntary member withdrawal). Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver). 42 CFR sections 435.940 through 435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan. 42 CFR §435.916 requires the periodic renewal of recipient Medicaid eligibility. The 12-month renewal period mandated for MAGI-eligible recipients pertains to the majority of Medicaid and CHIP recipients in Rhode Island. Condition: For fiscal 2023, we tested a sample of 60 Medicaid eligible members (capitation payments totaling $240,129, federal share - $172,893, for the members tested) claimed for compliance with program eligibility. Total capitation payments claimed to Medicaid totaled $1.8 billion (federal share - $1.3 billion) during fiscal 2023. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically: • Inconsistencies with the operation of the State Wage Information Collection Agency (SWICA) interface were noted in 2 out of 60 cases (questioned costs - $2,007). Eligibility determinations in these cases were post-PHE and actual reported SWICA income would have made the members ineligible for Medicaid. • A member was determined ineligible in RIBridges beginning 11/1/2019 (pre-PHE) but has remained continuously eligible on Medicaid (questioned costs - $5,443). • Documentation supporting income (e.g., electronic SWICA validation or applicant submitted documentation (i.e., paystubs)) was lacking in 4 out of 60 cases. Since we were able to perform alternative procedures to validate reported income to SWICA data provided by the Department of Labor and Training, these cases were not deemed to be noncompliance as reported household income would have made these members eligible for Medicaid. As noted above, eligibility was determined to be incorrect or unsupported in 3 of 60 sample members tested (5% error rate). Total questioned costs identified during our testing were $7,450. In addition to noncompliance reported above, the State continued to claim Medicaid Expansion enhanced reimbursement (90% FMAP (Federal Medical Assistance Percentage)) for certain members older than 65 during fiscal 2023. While PHE requirements allowed members to remain eligible on Medicaid, states needed to redetermine eligibility for these members upon reaching age 65 to see if they were eligible for a different Medicaid eligibility category. In conjunction with our Medicaid eligibility testing, we tested a random sample of 23 Medicaid Expansion members over the age of 65 for redetermination by the State. Our testing found that 11 out of the 23 members tested turned age 65 prior to the PHE period beginning in March 2020, thus enhanced federal reimbursement should have ended upon turning age 65 (questioned costs - $79,946). Since redetermination was not performed, we could not determine if the individual would have remained qualified for Medicaid. Our analysis identified 158 members based on date of birth that should have aged out of Medicaid expansion prior to the start of the PHE. During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2023 to determine the State’s timeliness of terminating eligibility for deceased members. The “Do Not Pay” service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 3,298 deceased members still active on Medicaid at June 30, 2023. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2023 subsequent to the month of death is summarized as follows: [See Schedule of Findings and Questioned Costs for table.] Controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length that payments are continuing is significant and could span managed care contract settlement periods. Under federal regulations, capitation payments for deceased members would be considered an ineligible payment of federal funds. While we noted instances where RI Medicaid was recouping capitation once death was recorded in the MMIS for certain cases, the length of time that managed care capitation was continuing is indicative that system controls were not effective in terminating coverage in a timely manner. A detailed review of some of these cases noted that RIBridges was aware of the date of death, but eligibility was still active or pending closure. In many cases, the date of death reporting was not communicating to the MMIS resulting in continued capitation payments. The amounts included above had active eligibility at June 30, 2023 and capitation had not been recouped during fiscal 2023. Of the 3,298 members identified as deceased, 521 had reported dates of death older than two years. Based on our June 30, 2023 evaluation, estimated questioned costs for capitation payments made for deceased individuals totaled $5,125,758, pending recoupment of capitation payments to managed care organizations and the transportation provider. In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were ineffective. The amount of capitation paid for Medicaid members no longer residing in the State was not determinable for our audit period. Lastly, we identified some instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with Medicaid aid categories during certain periods within fiscal 2023. Our analysis found that the coding error likely impacted 373 cases within Medicaid during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid. Questioned Costs: $5,213,154 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-064a Address and correct the RIBridges system deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, Death reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility. 2023-064b Enhance controls over the identification of deceased members and members that have relocated out-of-State to minimize ineligible benefit payments within the Medicaid program. 2023-064c Identify ineligible Medicaid costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-065 (other noncompliance / significant deficiency – repeat finding – 2022-073) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles SERVICES PROVIDED TO CHILDREN IN THE STATE’S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State’s custody were not charged to Medicaid in fiscal 2023 in accordance with the methodology approved in the State Plan. Controls over other services provided to children in the State’s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and identifies requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology was approved by the Centers for Medicare and Medicaid Services (CMS) in fiscal 2023. Criteria: Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. The Medicaid State Plan stipulates a cost reimbursement methodology for establishment of reimbursement rates for PRTF service providers. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State’s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change, in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception of PRTF services based on the new methodology (determined through provider budget submission). CMS approved a State Plan amendment for a cost reimbursement methodology during fiscal 2023. PRTF services during fiscal 2023 continued to be reimbursed through an unapproved methodology. DCYF was reimbursed approximately $5.4 million for PRTF services provided to children in the State’s custody during fiscal 2023. During our audit, we also noted that approximately $20 million in other services to children in the State’s custody (referred to as manual billings by DCYF) are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims directly to the MMIS for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2023 were not based on the specific cost reimbursement methodology approved in the State plan. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-065a Reprocess claims for PRTF services to ensure that the provider is reimbursed based on the allowable cost reimbursement methodology and return any ineligible amounts to the federal grantor. 2023-065b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-066 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER STATE HOSPITAL CLAIMING Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort. Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim. Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined. Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort. Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare). Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-067 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES Special education services monitoring needs more oversight to ensure that required corrective actions and certifications are obtained from local education agencies. Criteria: The State has established policies and procedures relating to its oversight of special education services claiming by local education agencies (LEAs). These policies and procedures are detailed in EOHHS’s Direct and Administrative Services Guidebooks for LEAs. The guidebooks, among several requirements, mandates a) the submission of a quality assurance Medicaid Action Plan (LEA policies and procedures to ensure claiming meets federal requirements) and b) the quarterly submission of the Certification of Funds letters in accordance with the EOHHS/LEA Interagency Provider Agreement which attests to the provision of State match requirements by the local education agencies. Condition: Our review of EOHHS’ monitoring of LEA special education services billed to Medicaid identified the following: • 1 LEA in our sample of 4 providers (out of 42 providers) had not submitted the required Medicaid Action Plan until requested during our audit, and • EOHHS could not provide documentation of quarterly Certification of Funds letters submitted from all 4 providers sampled. While our testing found that EOHHS’ monitoring was substantially being performed during fiscal 2023, documentation of certain compliance areas was lacking. Since other monitoring procedures were found to be in place for the providers reviewed, we did not consider claiming reimbursed to these providers to represent noncompliance with federal regulations. Cause: Monitoring special education services was impacted by staff turnover during fiscal 2023 and oversight by EOHHS did not detect the noncompliance with departmental policies and procedures. Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-067 Enhance oversight of special education services by LEAs to ensure compliance with adopted policies and procedures. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-068 (significant deficiency – repeat finding – 2022-075) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Reporting FEDERAL FINANCIAL REPORTS RIEMA lacks controls over federal reporting to ensure that submitted federal reports are accurate and supported by the State accounting system. Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records. Condition: For fiscal 2023, we noted variances between the amounts reported on each of the quarterly SF 425 reports and obligations reported in FEMA’s grants portal. In certain instances, the differences reported in cash receipts were due to immaterial timing differences. However, for one quarter, we noted a significant timing difference of over $4 million. Additionally, for the quarter ended June 30, 2023, we noted a cumulative difference of $315,429. While we found that RIEMA materially complied with federal reporting requirements, internal controls such as reconciling federal reports with the State accounting system were lacking to identify quarterly reporting errors. Cause: RIEMA did not have procedures in place to ensure that federal reports were consistent with underlying supporting documentation (i.e., State accounting system). Effect: Expenditures and cash receipts reported on the SF-425 were understated at year-end. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-068a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying records. 2023-068b Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2023, as necessary. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-050 (significant deficiency– repeat finding – 2022-052) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FUNDING SOURCES OR FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one funding source or award under federal programs with similar pandemic response related objectives. Reconciliation of accounting records to align program revenues with federal revenues received were not fully completed at fiscal year-end. Background: The State has received an unprecedented amount of federal assistance to respond to the effects of the global health pandemic. Included in this assistance were funds received from the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, among others. Certain costs were eligible for reimbursement under multiple programs and funding sources. Expenditures were often applied to one funding source and then subsequently adjusted to another funding source as federal guidelines changed and the end of the period of availability drew near for multiple awards. Due to the length of the pandemic, adjustments of program expenditures between federal programs or other funding sources overlapped fiscal years at times. Criteria: Expenditures may only be reimbursed from one funding source or federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were sometimes charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity, however, the original transaction (expenditure/disbursement) remains in the account originally charged, offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2023, we noted the following adjustments to financial activity supporting the cited control deficiency: • Approximately $1.0 million in expenditures were adjusted from ELC to FEMA, and another $1.8 million from restricted funding sources to ELC. • Approximately $2.1 million was adjusted from various federal programs and non-federal accounts to FEMA’s Disaster Grants program and another $6.6 million from FEMA’s Disaster Grants program to various federal programs and other non-federal expenditure accounts. The State implemented a reconciliation process to account for, and adjust as necessary, federal program activity to align accounting records with actual final funding sources of the activities. Journal entries were processed in fiscal 2023 to adjust expenditures between federal and non-federal funding sources for prior and current year activity. While there was a significant decrease in the magnitude of the adjustments compared to prior years, reconciliations for all State agencies and departments were not fully completed at June 30, 2023. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one funding source or federal award. Effect: Potential duplicate reimbursement of expenditures from more than one funding source or federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-050a Ensure reconciliations and any required adjustments are complete to demonstrate that eligible pandemic-related program costs were not reimbursed from more than one funding source. 2023-050b Determine whether any program costs were reimbursed by multiple fundings sources. Return any related funds to the appropriate federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-068 (significant deficiency – repeat finding – 2022-075) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Reporting FEDERAL FINANCIAL REPORTS RIEMA lacks controls over federal reporting to ensure that submitted federal reports are accurate and supported by the State accounting system. Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records. Condition: For fiscal 2023, we noted variances between the amounts reported on each of the quarterly SF 425 reports and obligations reported in FEMA’s grants portal. In certain instances, the differences reported in cash receipts were due to immaterial timing differences. However, for one quarter, we noted a significant timing difference of over $4 million. Additionally, for the quarter ended June 30, 2023, we noted a cumulative difference of $315,429. While we found that RIEMA materially complied with federal reporting requirements, internal controls such as reconciling federal reports with the State accounting system were lacking to identify quarterly reporting errors. Cause: RIEMA did not have procedures in place to ensure that federal reports were consistent with underlying supporting documentation (i.e., State accounting system). Effect: Expenditures and cash receipts reported on the SF-425 were understated at year-end. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-068a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying records. 2023-068b Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2023, as necessary. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-031 (other noncompliance / significant deficiency – new finding) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: United States Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles CONTROLS OVER REGULATIONS FOR CERTAIN MAXIMUM MONTHLY ALLOWANCES RIDOH controls over the determination of monthly benefit allowances within the program need to be enhanced to ensure participants’ monthly commodity thresholds comply with federal regulations. Background: The Special Supplemental Nutrition Program for Women, Infants and Children (WIC) is a federally funded nutrition program. The program’s mission is to safeguard the health of low-income women, infants, and children (up to the age of 5) who are at nutritional risk. The program provides nutritious foods to supplement diets, information on healthy eating, breastfeeding promotion and support, and referrals to health care. The Food and Nutrition Service (FNS) provides federal grants to State agencies, which are responsible for the administration of the WIC Program at the State level. Crossroads is the WIC eligibility management information system that provides case management, vendor management and fiscal management of WIC funds. Criteria: Uniform Guidance federal regulation 7 CFR §246.10(e)(9) Table 1 Footnote 7, notes that State agencies must provide at least the Full Nutritional Benefit (FNB) authorized to non-breastfed infants up to the maximum monthly allowance (MMA) for the physical form of the product specified for each food package category. Condition: We reviewed a random sample of forty monthly benefit issuances within the Crossroads System and noted three instances where the infant formula benefit issuance exceeded the infant formula MMA. In the three exceptions noted, the cost of additional formula units issued and expended approximated $130 during fiscal 2023. We evaluated the likely noncompliance caused by the inaccurate system determination of authorized infant formula benefits for the fiscal year. This evaluation determined that while additional questioned costs likely resulted, the excess formula benefit did not result in material noncompliance relating to allowable costs. Cause: RIDOH misinterpreted the regulation for the program (to properly calculate the MMA for infant formula) for a period which included fiscal year 2023. RIDOH interpreted the regulations using the MMA of 870 fluid ounces reconstituted powder for the rounding up method, rather than the FNB of 806 fluid ounces. Therefore, the Crossroads System was rounding up the MMA to 870 fluid ounces reconstituted powder, resulting in the over-issuance of benefits for the related eligibility period. Effect: RIDOH exceeded the MMA benefit for certain infant formula benefit issuances for eligible program participants. Questioned Costs: $130 Valid Statistical Sampling: Yes RECOMMENDATION 2023-031 Review and correctly implement (if required) regulations for issued food benefit packages in accordance with required federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-032 (significant deficiency – new finding) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles; Eligibility INFORMATION SYSTEMS SECURITY CONSIDERATIONS RELATING TO THE CROSSROADS MANAGEMENT INFORMATION SYSTEM Controls over logical access to the Special Supplemental Nutrition Program for Women, Infants and Children’s (WIC) Management Information System (Crossroads) can be enhanced to ensure the timely removal/deactivation of user access privileges upon termination of employment at participating local agencies or clinics. RIDOH should monitor complementary user entity controls performed by its subcontractor in conjunction with its oversight of information systems security for the Crossroads System. Background: Program specific data and other information for eligible participants of the State’s WIC program is maintained within the Crossroads System. RIDOH contracts the maintenance and operation of the system to a third party and that vendor contracts with a Web Services Provider to host the application. The Crossroads System is utilized by RIDOH and other local agencies and clinics that provide WIC services. RIDOH receives a Service Organization Control (SOC) report for the Web Services Provider that it utilizes in conjunction with its monitoring of information systems security over the system. Criteria: The State Division of Enterprise Technology Strategy and Services (ETSS) promulgates the State’s information systems security policies and procedures. ETSS policies specific to logical access controls include policy 4.2, Account Management, which requires State agencies to monitor the use of information system accounts. This policy requires user accounts to be deactivated or terminated within one week when a user transfers or terminates employment. Agencies are also required to annually review information system accounts for compliance with account management requirements and to semi-annually review privileged accounts. Privileged and non-privileged accounts should be deactivated after 60 and 90 days of inactivity, respectively. Management has responsibility for the adequacy of the design and operation of an entity’s control structure, including functions performed by external parties. This responsibility also includes documenting and reviewing designated user entity controls which the service organization assumes are in place and operating effectively for the proper and secure use of the contracted entity’s services. Condition: WIC officials are responsible for authorizing and managing access to the Crossroads System. The policy for removing individuals from the Crossroads System mandates that the local agency or clinic notify WIC staff of the user(s) requiring access removal/revocation. The system automatically revokes access when a user does not access the system for 90 days. All participating local agencies and clinics that utilize the Crossroads System are required to contact WIC staff to initiate user deactivation from the System upon terminating employment. In circumstances where a user agency does not request access revocation for an employee upon termination, WIC officials are relying on the system to deactivate these users after the allotted 90 days. WIC officials are not currently monitoring system access to ensure that access is terminated in a timely manner when a user is no longer employed or authorized to use the system. WIC’s current practices do not comply with the State’s policies and procedures for managing system user access and are not considered IT security best practices. Our evaluation of system access identified five (5) individuals who had not logged in for 60+ days. These individuals were no longer employed and should not have remained able to access the system. While WIC officials review the SOC report for the Web Services Provider, the complementary user entity controls (CUEC) responsibilities included in the report are delegated to the contractor that ensures the maintenance and operation of the system. Due to the importance of securing the system, which administers eligibility for WIC as a federal program, WIC officials should have procedures in place to monitor and document the contractor’s performance of designated CUECs. Cause: Controls over logical access to the Crossroads System do not comply with ETSS’s adopted policies and procedures. Lack of monitoring of contractor responsibility for performance of user entity controls. Effect: Users can continue to access the system after employment termination which could result in malicious activity or unauthorized changes that impact program benefits. Nonperformance of user entity controls by the contractor could compromise security over the Crossroads System. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-032a Enhance controls to ensure that the Crossroads System’s user access privileges are deactivated by RIDOH immediately upon a user’s separation from the associated local agency or clinic’s employment. 2023-032b Monitor and document contractor performance of user entity controls identified in the SOC report for the Web Services Provider. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-033 (other noncompliance / significant deficiency – repeat finding – 2022-059) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019-2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles TIME AND EFFORT REPORTING RIDOH can enhance controls over time and effort reporting to ensure accurate allocations and reimbursements from federal programs. Background: RIDOH has built a robust, yet complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State’s payroll system and accounting system is performed on a quarterly basis. Amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time charged to various programs. Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(i)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. While RIDOH was able to provide timesheets for all selected pay periods, for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 6 of the 80 selected weekly timesheets lacked a supervisor signature. This was considered a control deficiency, but not noncompliance since the employee reported time and effort which supported allocation to the ELC program. • One individual noted in our ELC payroll sample (4 weekly time sheets) did not have their recorded payroll adjusted through the subsequent quarterly entry to accurately reflect work performed on federal programs. This resulted in payroll costs being overallocated to the ELC program (questioned costs - $3,355). • For both ELC and the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), we noted time and effort recorded to generalized timesheet category codes (i.e., Administrative Support, Finance and Operations, ICS – Incident Command System) lacked sufficient detail (i.e., underlying activity performed in support of related category code) to support its specific federal program allocation. Questioned costs could not be determined due to the lack of time and effort detail reported. Cause: Policies and procedures were ineffective to ensure amounts claimed and reimbursed by federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet detail prevented direct verification of recorded timesheet activities to the underlying charges on federal programs. Effect: Personnel costs reimbursed from federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: $3,355 (ELC – 93.323) Valid Statistical Sampling: Yes RECOMMENDATION 2023-033 Enhance weekly reporting of time and effort to improve documentation and support for personnel costs charged to federal programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-034 (other noncompliance / material weakness – repeat finding – 2022-041) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Eligibility CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance programs and ensure that individuals meet the various program requirements to receive benefits. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. During the pandemic, the State enhanced application processing by implementing new “cloud-based” technologies designed to handle significant applicant volume and to employ controls to validate applicant identity and prevent program fraud. In contrast, the legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2023, benefit payments exceeded $150 million. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines. Unemployment Insurance (UI) is funded by a tax on employers. UI is for individuals who earn wages from an employer who is required by law to pay the UI tax. UI work search requirements dictate that all unemployment insurance claimants are required to be actively seeking work. To receive UI benefits, eligibility requirements include: 1. Applicants to be unemployed through no fault of their own OR that their work hours MUST have been reduced. 2. All unemployment insurance claimants are required to actively seek work. 3. For non-exempt claimants, per U.S. DOL “Basic Registration” into EmployRI is required at the time the initial UI claim is filed and “Full Registration” occurs once the claimant is active in the system by completing a work search activity (e.g., posts a resume, completes a job search, etc.). 4. Per RI DLT Memorandum of UI Résumé Project (REF: 2019-UI-PROC-1517) “UI customers are required under Rule 1.18(F)(4) and (G) to post a résumé by the 6th week of benefit payments.” Collections on overpayments due to error, ineligibility, or fraud must be reported and credited to the appropriate source that funded the unemployment insurance benefits. Condition: While our testing found that unemployment insurance payments complied with most program eligibility requirements, noncompliance with certain requirements (specifically related to work search requirements) was noted. We tested a random sample of 60 individual benefit payments totaling $400,826 in fiscal 2023. In conjunction with our testing, the following exceptions were deemed to be in noncompliance with eligibility requirements that resulted in ineligible benefit payments (sample payments for ineligible individuals totaled $1,413): • 1 of 60 (2%) was not denied/sent to adjudication for ineligible termination of employment. Scanned documentation (form UI425) in the Onbase Imaging system from the employer stating claimant was discharged/fired from employment for violating company policy, however, AS400 states claimant’s reason of termination was for Lack of Work. • 1 of 60 (2%) recorded the claimant’s name incorrectly in multiple screens of the UI mainframe system (AS400), OnBase Imaging system, and the EmployRI system (Evidence of identity verification due to case record deficiencies was lacking). • 2 of 60 (4%) were not registered in the EmployRI system. • 5 of 60 (8%) did not have a résumé in the EmployRI system. Actual questioned costs during our audit period totaled $30,943 for these individuals. In addition, we identified the following deficiencies in work requirement documentation during our testing that we deemed to be documentation deficiencies with State UI requirements. However, these deficiencies were not deemed to represent ineligible benefit payments: • 31 of 60 (52%) had incomplete résumés in the EmployRI system. Each résumé had between 20%-60% completion rates and remained offline. • EmployRI system does not accurately record résumé modification dates in the system. The system changes the modification date upon viewing a résumé losing the audit trail of when it was last modified. Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to unemployment insurance benefit operations. Planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed. Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration). Effect: UI benefits paid to ineligible individuals that did not comply with program eligibility requirements. Questioned Costs: $30,943 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-034a Implement compensating controls to identify non-compliance with program requirements. 2023-034b Ensure that on-going considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-035 (material noncompliance / material weakness – repeat finding – 2022-042) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment was the result of the employer’s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Unemployment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1.) In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a department request for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: During fiscal 2023, DLT was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. The significant amount of fraud experienced during the pandemic coupled with the system not assessing the required penalties on these overpayments continued to result in material noncompliance with federal regulations during fiscal 2023. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization. Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-035 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)). Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-036 (material weakness – new finding) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employer Tax Unit Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – Employer Experience Rating CONTROLS OVER EMPLOYER EXPERIENCE RATING Controls over the processing of employer tax were insufficient to identify changes in tax rates and improper disbursement of refunds. Background: Certain benefits accrue to states and employers by having a federally approved experience-rated UI tax system. All states currently have an approved system. For the proper administration of the system, the DLT maintains accounts, or subsidiary ledgers, on State UI taxes received or due from individual employers, and the UI benefits charged to the employer. The employer’s “experience” with the unemployment of former employees is the dominant factor in the DLT computation of the employer’s annual State UI tax rate. The computation of the employer’s annual tax rate is based on State UI law (26 USC 3303). Experience rating systems are generally highly automated systems. DLT relies on its old mainframe system to determine experience ratings for employers. When employers appeal their employer tax rate, DLT will evaluate the appeal and, if required, evaluate and redetermine the experience rating for that employer. This process is highly dependent on manual processes and key personnel within the Employer Tax Unit. Criteria: Management is responsible for establishing and maintaining effective internal controls to collect and process employer taxes consistent with federal program guidelines including appropriate procedures to ensure employers pay the correct tax rate and tax payments are received timely. Condition: While our testing found that experience rates determined or adjusted by DLT during fiscal 2023 were proper, internal control procedures could be further enhanced to improve the documentation of tax rate changes and identification of errors that could result during current manual processes. Changes in the employer tax rate result in a refund or bill, and these changes are approved and updated by a single individual. Refund lists are manually reviewed and recalculated by another individual; however, refund thresholds reduce the amount of review performed and evidence of the review is not adequately documented. DLT’s manually intensive processes lack formalization, result in inadequate segregation of duties, and are prone to error. DLT’s mainframe system has reached end of life, is reliant on key employees for effective operation, and poses significant business continuity risks to unemployment insurance operations. Modernization of DLT’s system should prioritize enhancements to create proper segregation of duties and reduce manual processes to ensure accuracy of rate changes prior to disbursement of tax refunds. Cause: Control deficiencies exist over the determination of employer experience ratings that are utilized in UI employer tax rate calculations. DLT’s current mainframe requires manual processing of employer experience rating adjustments which are susceptible to error and lack documentation. The department is aware of the system limitations and has communicated concern over its lack of IT support to keep the system running in the future. Effect: Potential noncompliance if employer experience ratings are not determined in accordance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-036a Implement and document compensating controls to identify non-compliance with program requirements to prevent and detect changes in tax rates and improper disbursement of refunds. 2023-036b Ensure that the future modernization of UI technology ensures that adjustments to employer experience ratings are more automated, clearly documented, and less reliant on key employees to ensure effective operation. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-034 (other noncompliance / material weakness – repeat finding – 2022-041) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Eligibility CONTROLS OVER UNEMPLOYMENT INSURANCE BENEFIT PAYMENTS Controls over the processing of unemployment insurance claims were insufficient to prevent ineligible unemployment insurance benefit payments. Background: Individuals applying for unemployment benefits must comply with certain eligibility requirements to qualify for and maintain benefits through the program. States need to rely on systems and technology to administer unemployment insurance programs and ensure that individuals meet the various program requirements to receive benefits. The system used by DLT to process unemployment insurance (UI) benefits utilizes outdated technology. This legacy system is mainframe-based and has reached end of life with a need for replacement. During the pandemic, the State enhanced application processing by implementing new “cloud-based” technologies designed to handle significant applicant volume and to employ controls to validate applicant identity and prevent program fraud. In contrast, the legacy benefit administration and payment system lacks the integration and controls inherent in modernized unemployment insurance systems and represents a risk to business continuity. During fiscal year 2023, benefit payments exceeded $150 million. Criteria: Management is responsible for establishing and maintaining effective internal controls to process and disburse unemployment insurance benefits consistent with federal program guidelines. Unemployment Insurance (UI) is funded by a tax on employers. UI is for individuals who earn wages from an employer who is required by law to pay the UI tax. UI work search requirements dictate that all unemployment insurance claimants are required to be actively seeking work. To receive UI benefits, eligibility requirements include: 1. Applicants to be unemployed through no fault of their own OR that their work hours MUST have been reduced. 2. All unemployment insurance claimants are required to actively seek work. 3. For non-exempt claimants, per U.S. DOL “Basic Registration” into EmployRI is required at the time the initial UI claim is filed and “Full Registration” occurs once the claimant is active in the system by completing a work search activity (e.g., posts a resume, completes a job search, etc.). 4. Per RI DLT Memorandum of UI Résumé Project (REF: 2019-UI-PROC-1517) “UI customers are required under Rule 1.18(F)(4) and (G) to post a résumé by the 6th week of benefit payments.” Collections on overpayments due to error, ineligibility, or fraud must be reported and credited to the appropriate source that funded the unemployment insurance benefits. Condition: While our testing found that unemployment insurance payments complied with most program eligibility requirements, noncompliance with certain requirements (specifically related to work search requirements) was noted. We tested a random sample of 60 individual benefit payments totaling $400,826 in fiscal 2023. In conjunction with our testing, the following exceptions were deemed to be in noncompliance with eligibility requirements that resulted in ineligible benefit payments (sample payments for ineligible individuals totaled $1,413): • 1 of 60 (2%) was not denied/sent to adjudication for ineligible termination of employment. Scanned documentation (form UI425) in the Onbase Imaging system from the employer stating claimant was discharged/fired from employment for violating company policy, however, AS400 states claimant’s reason of termination was for Lack of Work. • 1 of 60 (2%) recorded the claimant’s name incorrectly in multiple screens of the UI mainframe system (AS400), OnBase Imaging system, and the EmployRI system (Evidence of identity verification due to case record deficiencies was lacking). • 2 of 60 (4%) were not registered in the EmployRI system. • 5 of 60 (8%) did not have a résumé in the EmployRI system. Actual questioned costs during our audit period totaled $30,943 for these individuals. In addition, we identified the following deficiencies in work requirement documentation during our testing that we deemed to be documentation deficiencies with State UI requirements. However, these deficiencies were not deemed to represent ineligible benefit payments: • 31 of 60 (52%) had incomplete résumés in the EmployRI system. Each résumé had between 20%-60% completion rates and remained offline. • EmployRI system does not accurately record résumé modification dates in the system. The system changes the modification date upon viewing a résumé losing the audit trail of when it was last modified. Beyond the above control considerations, DLT’s current mainframe system has reached end of life and poses significant business continuity risks to unemployment insurance benefit operations. Planning to modernize DLT’s systems is underway and should consider how enhanced and more integrated system controls over eligibility can be employed. Cause: DLT’s internal control procedures were not sufficiently effective to ensure that unemployment benefit payments were made only to eligible individuals. DLT has not implemented compensating controls for the UI mainframe’s lack of functionality. The lack of integration between the current mainframe and other support applications (i.e., Onbase imaging and EmployRI systems) limits DLT’s ability to implement automated controls to enhance compliance with certain UI requirements. DLT does not have adequate controls in place to detect noncompliance with work search requirements (i.e., EmployRI registration). Effect: UI benefits paid to ineligible individuals that did not comply with program eligibility requirements. Questioned Costs: $30,943 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-034a Implement compensating controls to identify non-compliance with program requirements. 2023-034b Ensure that on-going considerations for the modernization of the unemployment benefit program administration system maximize automated processes designed to enhance controls over eligibility requirements. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-035 (material noncompliance / material weakness – repeat finding – 2022-042) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employment and Training Administration Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – UI Program Integrity - Overpayments UNEMPLOYMENT INSURANCE PROGRAM INTEGRITY – OVERPAYMENTS The Department of Labor and Training (DLT) did not make the necessary changes to its system to allow for the imposition of penalties on overpayments due to fraud, and to prohibit relief from charges to an employer’s Unemployment Compensation (UC) account when the overpayment was the result of the employer’s failure to respond timely or adequately to a request for information. Criteria: Federal law provides that (1) States are required to impose a monetary penalty (not less than 15 percent) on claimants whose fraudulent acts resulted in overpayments and deposit the funds in the State’s account in the Unemployment Trust Fund, and (2) States are prohibited from providing relief from charges to an employer’s UC account when overpayments are the result of the employer’s failure to respond timely or adequately to a request for information. Pub. L. No. 112-40, enacted on October 21, 2011, and effective October 21, 2013, amended sections 303(a) and 453A of the Social Security Act and sections 3303, 3304, and 3309 of the Federal Unemployment Tax Act (FUTA) to improve program integrity and reduce overpayments. (See UIPL Nos. 02-12, and 02-12, Change 1.) In compliance with federal law, the State enacted these requirements into State law effective October 1, 2013, including a 15% penalty on overpayments due to claimant fraud (RIGL 28-42- 62.1(a)(4)) and a prohibition on relieving the employer’s account of charges relating to any benefit overpayments made if the employer was at fault for failure to respond timely or adequately to a department request for information relating to the claim (RIGL 28-43-3(2)(viii)). Condition: During fiscal 2023, DLT was not properly identifying and handling overpayments, including, as applicable, assessment of the 15% penalty on claimants who commit fraud, and not relieving an employer’s account of charges for overpayments when their untimely or inaccurate responses cause improper payments. The significant amount of fraud experienced during the pandemic coupled with the system not assessing the required penalties on these overpayments continued to result in material noncompliance with federal regulations during fiscal 2023. Overpayments must be established and communicated to the recipient to initiate collection. DLT is aware of the requirement and the need for programming modifications to its current system or planned modernization. Cause: DLT has not implemented the UI system programming required to impose penalties for overpayments due to fraud. Effect: Noncompliance with federal and State laws as well as lost revenue on penalties not assessed. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-035 Adopt procedures to: (1) impose and collect a 15% penalty on benefit overpayments of claimants who commit fraud (RIGL 28-42-62.1(a)(4)) and (2) prohibit providing relief to an employer account when an overpayment is the result of the employer’s failure to respond timely or adequately to a request for information by the State agency (RIGL 28-43-3(2)(viii)). Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-036 (material weakness – new finding) UNEMPLOYMENT INSURANCE – 17.225 Federal Awarding Agency: U.S. Department of Labor (DOL), Employer Tax Unit Federal Award Fiscal Year: Not Applicable Federal Award Number: Not Applicable – Direct Payments with Unrestricted Use Funded through U.S. Treasury Trust Fund Administered by: Department of Labor and Training (DLT) Compliance Requirement: Special Tests and Provisions – Employer Experience Rating CONTROLS OVER EMPLOYER EXPERIENCE RATING Controls over the processing of employer tax were insufficient to identify changes in tax rates and improper disbursement of refunds. Background: Certain benefits accrue to states and employers by having a federally approved experience-rated UI tax system. All states currently have an approved system. For the proper administration of the system, the DLT maintains accounts, or subsidiary ledgers, on State UI taxes received or due from individual employers, and the UI benefits charged to the employer. The employer’s “experience” with the unemployment of former employees is the dominant factor in the DLT computation of the employer’s annual State UI tax rate. The computation of the employer’s annual tax rate is based on State UI law (26 USC 3303). Experience rating systems are generally highly automated systems. DLT relies on its old mainframe system to determine experience ratings for employers. When employers appeal their employer tax rate, DLT will evaluate the appeal and, if required, evaluate and redetermine the experience rating for that employer. This process is highly dependent on manual processes and key personnel within the Employer Tax Unit. Criteria: Management is responsible for establishing and maintaining effective internal controls to collect and process employer taxes consistent with federal program guidelines including appropriate procedures to ensure employers pay the correct tax rate and tax payments are received timely. Condition: While our testing found that experience rates determined or adjusted by DLT during fiscal 2023 were proper, internal control procedures could be further enhanced to improve the documentation of tax rate changes and identification of errors that could result during current manual processes. Changes in the employer tax rate result in a refund or bill, and these changes are approved and updated by a single individual. Refund lists are manually reviewed and recalculated by another individual; however, refund thresholds reduce the amount of review performed and evidence of the review is not adequately documented. DLT’s manually intensive processes lack formalization, result in inadequate segregation of duties, and are prone to error. DLT’s mainframe system has reached end of life, is reliant on key employees for effective operation, and poses significant business continuity risks to unemployment insurance operations. Modernization of DLT’s system should prioritize enhancements to create proper segregation of duties and reduce manual processes to ensure accuracy of rate changes prior to disbursement of tax refunds. Cause: Control deficiencies exist over the determination of employer experience ratings that are utilized in UI employer tax rate calculations. DLT’s current mainframe requires manual processing of employer experience rating adjustments which are susceptible to error and lack documentation. The department is aware of the system limitations and has communicated concern over its lack of IT support to keep the system running in the future. Effect: Potential noncompliance if employer experience ratings are not determined in accordance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-036a Implement and document compensating controls to identify non-compliance with program requirements to prevent and detect changes in tax rates and improper disbursement of refunds. 2023-036b Ensure that the future modernization of UI technology ensures that adjustments to employer experience ratings are more automated, clearly documented, and less reliant on key employees to ensure effective operation. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-037 (other noncompliance / significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Allowable Costs/Cost Principles INSUFFICIENT DOCUMENTATION TO SUPPORT COSTS INCURRED FOR LEGAL SERVICES CHARGED TO THE EMERGENCY RENTAL ASSISTANCE PROGRAM Documentation and monitoring procedures were inadequate to support allowable legal services that were prepaid to a contractor on a quarterly basis. Background: The Pandemic Recovery Office (PRO) within Rhode Island Department of Administration executed a memorandum of understanding with the Rhode Island Department of Housing (formerly the Office of Housing and Community Development) to administer certain aspects of the Emergency Rental Assistance (ERA) Program. In fiscal 2023, a contract agreement was signed between the Department of Housing and a vendor to provide legal services for eviction defense to program participants. The vendor contract included an exhibit detailing the anticipated (budgeted) personnel and fringe costs, subcontract amounts, and other non-personnel related costs (computers, supplies, etc.) supporting the contract amount. Criteria: Uniform Guidance cost principles dictate that in order to be allowable under Federal awards, costs must be adequately documented (2 CFR §200.403(g)). Condition: The vendor providing legal services to program participants submitted invoices (reviewed as significant transactions during our audit period) to the Department of Housing on a quarterly basis. However, these invoices were submitted at the beginning of the quarterly period (e.g., invoice for the period of March 1, 2023 to May 31, 2023 was dated on March 9, 2023). The invoice amount equated to one fourth of the total contract amount. Since this program activity was structured as a vendor agreement and not a subaward, the Department of Housing should have obtained supporting documentation of time and effort performed by the vendor during the invoice period to validate the quarterly amount advanced to the vendor. The lack of supporting documentation for these program expenditures constituted a deficiency in internal control over compliance and noncompliance with Uniform Guidance requirements for adequate documentation. While the transaction amounts to this vendor were deemed significant, program disbursements made based on vendor contracts were infrequent. Most ERA disbursements were administered as subawards and our review of controls over subawards was found to be in place and operating effectively. Cause: Monitoring procedures were inadequate to ensure the contractor utilized the funds provided to support program objectives. Effect: Program funds could have been used by the contractor for unallowable activities and/or unallowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-037 Obtain documentation from the legal services contractor to ensure that quarterly time and effort complied with the underlying vendor contract. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-038 (significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) HOMEOWNER ASSISTANCE FUND – 21.026 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: HAF0142 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Numbers: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Reporting FEDERAL FINANCIAL AND PERFORMANCE REPORTING Controls were not adequate to ensure complete and accurate program reporting. Background: The Pandemic Recovery Office subgranted with the Rhode Island Housing and Mortgage Finance Corporation (RI Housing), a component unit of the State, to administer certain aspects of the Emergency Rental Assistance (ERA) and Homeowner Assistance Fund (HAF) programs. Certain required data elements, including a significant portion of program expenditures, are generated at RI Housing and reported back to the PRO for inclusion in the required program reporting. Criteria: The U.S. Treasury has prescribed financial and performance reporting requirements for pandemic recovery programs through electronic submission. Reporting requirements for ERA and HAF include certain key demographic information to showcase the use of funds to aid eligible program participants. State Fiscal Recovery Funds (SFRF) quarterly reports include detail on each project’s current period and cumulative obligations and expenditures, which should be adequately supported by accounting records. The annual performance report is required to be made publicly available and the report should detail each SFRF-funded project, identifying the funding amount, project expenditure category, and description of the project. Condition: The PRO does not have adequate procedures in place to ensure that required reports were complete and accurate. For the SFRF program, the State was required to complete quarterly reports that included both financial and program data and an annual performance report, which includes expenditure and program progress data for each project under the program. The quarterly reports include expenditure and subaward data for individual projects, as well as cumulative data. We selected two quarters and the annual report for testing and noted the following issues: • Instances where quarterly (i.e., June 2023) and cumulative expenditures per project did not agree to the State accounting system; and • The annual performance report did not include the project accounting for the PRO administrative expenditures. For the ERA and HAF programs, required reports include both financial data and performance indicators, principally demographic information of the program participants receiving benefits. As a significant portion of ERA and the majority of HAF are administered by a component unit of the State, this demographic information is forwarded to PRO for inclusion in the report, as are the agency’s supporting files. PRO reviews the files and forwards questions back as needed as part of their quality control process before the reports are completed and submitted. We noted the following issues: • Required demographic information for one selected quarter could not be verified as completed. PRO did not save a copy of the report at the time of submission, and due to an issue with the federal grantor agency’s system, a completed copy of the submitted report could not be retrieved for testing. • Underlying support for demographic information provided by the component unit agency did not adequately support the information reported. We noted instances in which the amounts reported did not agree to the data included in the report, or did not include all required elements. The review of reports performed by PRO staff did not identify these reporting deficiencies. • Expenditure and subaward amounts in ERA quarterly reports did not appear to be reported correctly. We noted several instances in both quarters tested where subaward amounts reported varied from the actual subaward agreements. Additionally, total current and cumulative expenditures reported did not agree to the total of expenditures detailed within the reports. Cause: Lack of adequate procedures for reconciling reported data to underlying support, including adequate oversight of information provided by the component unit agency. Effect: Reports may not be accurate or include all required information. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-038a Modify procedures for completing and documenting report data submitted to ensure that reports are properly reconciled to supporting documentation. 2023-038b Resubmit corrected reports, as needed. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-038 (significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) HOMEOWNER ASSISTANCE FUND – 21.026 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: HAF0142 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Numbers: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Reporting FEDERAL FINANCIAL AND PERFORMANCE REPORTING Controls were not adequate to ensure complete and accurate program reporting. Background: The Pandemic Recovery Office subgranted with the Rhode Island Housing and Mortgage Finance Corporation (RI Housing), a component unit of the State, to administer certain aspects of the Emergency Rental Assistance (ERA) and Homeowner Assistance Fund (HAF) programs. Certain required data elements, including a significant portion of program expenditures, are generated at RI Housing and reported back to the PRO for inclusion in the required program reporting. Criteria: The U.S. Treasury has prescribed financial and performance reporting requirements for pandemic recovery programs through electronic submission. Reporting requirements for ERA and HAF include certain key demographic information to showcase the use of funds to aid eligible program participants. State Fiscal Recovery Funds (SFRF) quarterly reports include detail on each project’s current period and cumulative obligations and expenditures, which should be adequately supported by accounting records. The annual performance report is required to be made publicly available and the report should detail each SFRF-funded project, identifying the funding amount, project expenditure category, and description of the project. Condition: The PRO does not have adequate procedures in place to ensure that required reports were complete and accurate. For the SFRF program, the State was required to complete quarterly reports that included both financial and program data and an annual performance report, which includes expenditure and program progress data for each project under the program. The quarterly reports include expenditure and subaward data for individual projects, as well as cumulative data. We selected two quarters and the annual report for testing and noted the following issues: • Instances where quarterly (i.e., June 2023) and cumulative expenditures per project did not agree to the State accounting system; and • The annual performance report did not include the project accounting for the PRO administrative expenditures. For the ERA and HAF programs, required reports include both financial data and performance indicators, principally demographic information of the program participants receiving benefits. As a significant portion of ERA and the majority of HAF are administered by a component unit of the State, this demographic information is forwarded to PRO for inclusion in the report, as are the agency’s supporting files. PRO reviews the files and forwards questions back as needed as part of their quality control process before the reports are completed and submitted. We noted the following issues: • Required demographic information for one selected quarter could not be verified as completed. PRO did not save a copy of the report at the time of submission, and due to an issue with the federal grantor agency’s system, a completed copy of the submitted report could not be retrieved for testing. • Underlying support for demographic information provided by the component unit agency did not adequately support the information reported. We noted instances in which the amounts reported did not agree to the data included in the report, or did not include all required elements. The review of reports performed by PRO staff did not identify these reporting deficiencies. • Expenditure and subaward amounts in ERA quarterly reports did not appear to be reported correctly. We noted several instances in both quarters tested where subaward amounts reported varied from the actual subaward agreements. Additionally, total current and cumulative expenditures reported did not agree to the total of expenditures detailed within the reports. Cause: Lack of adequate procedures for reconciling reported data to underlying support, including adequate oversight of information provided by the component unit agency. Effect: Reports may not be accurate or include all required information. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-038a Modify procedures for completing and documenting report data submitted to ensure that reports are properly reconciled to supporting documentation. 2023-038b Resubmit corrected reports, as needed. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-038 (significant deficiency – new finding) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) HOMEOWNER ASSISTANCE FUND – 21.026 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: HAF0142 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Numbers: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirement: Reporting FEDERAL FINANCIAL AND PERFORMANCE REPORTING Controls were not adequate to ensure complete and accurate program reporting. Background: The Pandemic Recovery Office subgranted with the Rhode Island Housing and Mortgage Finance Corporation (RI Housing), a component unit of the State, to administer certain aspects of the Emergency Rental Assistance (ERA) and Homeowner Assistance Fund (HAF) programs. Certain required data elements, including a significant portion of program expenditures, are generated at RI Housing and reported back to the PRO for inclusion in the required program reporting. Criteria: The U.S. Treasury has prescribed financial and performance reporting requirements for pandemic recovery programs through electronic submission. Reporting requirements for ERA and HAF include certain key demographic information to showcase the use of funds to aid eligible program participants. State Fiscal Recovery Funds (SFRF) quarterly reports include detail on each project’s current period and cumulative obligations and expenditures, which should be adequately supported by accounting records. The annual performance report is required to be made publicly available and the report should detail each SFRF-funded project, identifying the funding amount, project expenditure category, and description of the project. Condition: The PRO does not have adequate procedures in place to ensure that required reports were complete and accurate. For the SFRF program, the State was required to complete quarterly reports that included both financial and program data and an annual performance report, which includes expenditure and program progress data for each project under the program. The quarterly reports include expenditure and subaward data for individual projects, as well as cumulative data. We selected two quarters and the annual report for testing and noted the following issues: • Instances where quarterly (i.e., June 2023) and cumulative expenditures per project did not agree to the State accounting system; and • The annual performance report did not include the project accounting for the PRO administrative expenditures. For the ERA and HAF programs, required reports include both financial data and performance indicators, principally demographic information of the program participants receiving benefits. As a significant portion of ERA and the majority of HAF are administered by a component unit of the State, this demographic information is forwarded to PRO for inclusion in the report, as are the agency’s supporting files. PRO reviews the files and forwards questions back as needed as part of their quality control process before the reports are completed and submitted. We noted the following issues: • Required demographic information for one selected quarter could not be verified as completed. PRO did not save a copy of the report at the time of submission, and due to an issue with the federal grantor agency’s system, a completed copy of the submitted report could not be retrieved for testing. • Underlying support for demographic information provided by the component unit agency did not adequately support the information reported. We noted instances in which the amounts reported did not agree to the data included in the report, or did not include all required elements. The review of reports performed by PRO staff did not identify these reporting deficiencies. • Expenditure and subaward amounts in ERA quarterly reports did not appear to be reported correctly. We noted several instances in both quarters tested where subaward amounts reported varied from the actual subaward agreements. Additionally, total current and cumulative expenditures reported did not agree to the total of expenditures detailed within the reports. Cause: Lack of adequate procedures for reconciling reported data to underlying support, including adequate oversight of information provided by the component unit agency. Effect: Reports may not be accurate or include all required information. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-038a Modify procedures for completing and documenting report data submitted to ensure that reports are properly reconciled to supporting documentation. 2023-038b Resubmit corrected reports, as needed. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-039 (other noncompliance / significant deficiency – new finding) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of The Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles TIME AND EFFORT REPORTING The Pandemic Recovery Office’s time and effort reporting for the State Fiscal Recovery Fund (SFRF) did not provide adequate detail to fully support certain personnel costs charged to the program. Background: PRO instituted time reporting worksheets for employees to allocate their time spent on SFRF-related activities during the week. On a weekly basis, the agency compares its “Master Timesheet” to each employee’s timesheet for the purpose of recording an adjusting journal entry. This entry is recorded to adjust payroll expenditures in accordance with actual time spent on program activities. Criteria: 2 CFR §200.430(i)(1) requires that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of payroll costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • During the examination of payroll allocations charged to the program, we identified that one employee’s payroll costs continued to be charged in full to SFRF for 5 pay periods subsequent to their departure from the PRO. PRO did not identify and adjust for this exception during fiscal 2023 (questioned costs - $34,533). • PRO maintains a Master Timesheet for all its employees and asserts that only individuals listed on the Master Timesheet are eligible to submit payroll charges against SFRF. We noted one employee charged to the program for whom, upon review of the employee time records, no work hours under the SFRF program were reported. While it was explained that this employee was partially dedicated to performing SFRF activities within the Division of Purchasing, no time sheet documentation was provided in support of SFRF activities (questioned costs - $13,132). • During the review of timesheets for PRO supervisory approval, it was noted that several employee timesheets received approval from their supervisors one, two, and in some instances, three days prior to the conclusion of the pay period. This observation raises concerns regarding the timeliness and accuracy of time reporting, potentially impacting the integrity of payroll processing and adherence to internal controls over timekeeping procedures. According to the PRO, this is due to the Department of Administration’s routine request for submission of timesheets prior to the end of the period. If PRO identifies an instance that requires an amendment to the original timesheet, an amended timesheet will be submitted subsequently. Cause: Insufficient controls over the claiming of personnel expenditures to ensure adequate controls are in place to ensure compliance with federal requirements (i.e., adequate documentation of time and effort). Effect: Personnel expenditures could be unallowable due to a lack of adequate support and/or inaccurate allocation of expenditures to the SFRF program. Questioned Costs: $47,655 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-039a Conduct regular reconciliation and monitoring of payroll charges to agency records to improve documentation and support for personnel costs charged to federal programs. 2023-039b Modify current policies relating to timesheet collection to ensure that supervisory reviews of time and effort reporting are accurate and complete. Auditee views: The auditee partially disagrees with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-041 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: P268K232175 Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions RHODE ISLAND COLLEGE – RECONCILIATIONS OF THE DIRECT LOAN PROGRAM Criteria: The Code of Federal Regulations, 34 CFR §685.300(b)(5) requires the College on a monthly basis, to reconcile the institutional records with the Direct Loan funds received from the Secretary and the Direct Loan disbursement records submitted to and accepted by the Secretary. Condition: Direct loan reconciliations between the COD, G5 and student accounts were not being performed in a timely manner for the year. Context: Direct loan reconciliations were not all created timely during the year due to staffing issues that occurred during the year, therefore were not created on time. Cause: The College’s management had turnover in key positions during the year that increased the issues related to this issue of timely reconciliations. Effect: College is not complying with internal policy and federal requirements to ensure funds are properly reconciled in a timely manner. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-041 The College should ensure all necessary employees receive proper training, support, and time to follow the College's policies and federal requirements related to monthly reconciliations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-040 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: Rhode Island College (RIC) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act RHODE ISLAND COLLEGE – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Condition: Under an institution’s Program Participation Agreement with the Department of Education and the Gramm-Leach-Bliley Act, schools must protect student financial aid information, with particular attention to information provided to institutions by the Department or otherwise obtained in support of the administration of the federal student financial aid programs. Context: During our testing of the College’s information technology, we noted the following items in the College’s written security program did not meet the following compliance requirements: • Ensure that the written information security program describes the use of a data inventory that includes how the institution identifies and manages data, personnel, devices, systems and facilities. • Ensure that the written information security program identifies the use of multi-factor authentication for individuals accessing sensitive information across systems. • Ensure that the written information security program includes an adopted change management policy with procedures documented accordingly. • Ensure that the written information security program is evaluated and adjusted based on monitoring results, risk assessments and penetration tests. • Ensure the written information security program has been updated within the audit period. Cause: The College has continued to make progress in updating the College’s written security program to become compliant with all requirements; however, due to capacity and demands on the information technology individuals, this is still a work in process. Effect: The student personal information could be vulnerable. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-040 We recommend that the College designate an individual to oversee the information security function and work to update the College’s written security program to ensure compliance with all the standards. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-043 (other noncompliance / significant deficiency – repeat finding – 2022-055) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Special Tests and Provisions – Oversight and Monitoring Responsibilities with Respect to Charter Schools with Relationships with Charter Management Organizations SPECIAL TESTS AND PROVISIONS – OVERSIGHT AND MONITORING RESPONSIBILITIES WITH RESPECT TO CHARTER SCHOOLS WITH RELATIONSHIPS WITH CHARTER MANAGEMENT ORGANIZATIONS RIDE does not have any specific procedures to assess the risk posed by conflicts of interest, related party transactions, or insufficient segregation of duties between the Charter School and Charter Management Organization (CMO). Criteria: As grantees, State Education Agencies (SEAs) / Local Education Agencies (LEAs) are responsible for overseeing and monitoring subrecipients, including charter schools with relationships with Charter Management Organizations (CMOs). The SEA/LEA must: (1) evaluate each subrecipient’s risk of noncompliance with federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining appropriate subrecipient monitoring (2 CFR §200.332(b)); and (2) monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved (2 CFR §200.332(d)). Additional requirements applicable to nonfederal entities receiving federal funds include: (1) the Code of Federal Regulations (CFR) requirements regarding conflicts of interest, (2) guidance regarding related-party transactions in generally accepted accounting principles, and (3) the GAO Green Book and COSO framework guidance regarding segregation of duties applicable to charter schools with relationships with CMOs. Condition: RIDE’s policies, procedures, and internal control for reviewing charter schools with relationships with Charter Management Organizations (CMOs) is the same for all LEAs. Those policies and procedures do not include any specific procedures to assess the risk posed by conflicts of interest, related party transactions, or insufficient segregation of duties between the Charter School and CMO. Cause: RIDE currently has two Charter Schools with a relationship with a CMO and they did not modify their policies, procedures, and internal controls to address the Federal requirements related to the relationship. Effect: RIDE is not in compliance with federal regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-043 Enhance the policies, procedures, and internal controls over monitoring LEAs, Charter Schools, and Charter Schools with relationships to CMOs to include assessing the risk posed by conflicts of interest, related-party transactions, or insufficient segregation of duties between the Charter School and CMO. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-045 (significant deficiency – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Eligibility ELIGIBILITY RIDE did not calculate the correct Career and Technical Education (CTE) allocation for Local Education Agencies (LEA). Criteria: Section 131(a) of Perkins V (20 USC 2351) requires the State Education Agency (SEA) to distribute funds to Local Education Agencies (LEA) in two tranches as follows: • The first tranche accounts for 30% of the grant award and is allocated based on the population of individuals aged 5 through 17 residing in the school district as a percentage of the total individuals aged 5 through 17 in all school districts. • The second tranche accounts for 70% of the grant award and is allocated based on the population of individuals aged 5 through 17 who are from families below the poverty level residing in the school district as a percentage of the total individuals aged 5 through 17 who are from families below the poverty level residing in all school districts. Condition: RIDE calculated the allocation of grant awards for the 30 percent tranche based on the methodology used for individuals whose families are below the poverty level as opposed to the population of the school district. This caused 29 LEAs to be allocated less than required by federal regulations and 11 LEAs being allocated more than allowed by federal regulation. This misallocation amounted to $318 thousand of the $6.7 million grant award. The incorrect allocation did not result in noncompliance since no LEA provider spent their entire allocation and RIDE was able to recalculate and allocate the correct amounts to each provider. Cause: The department used a spreadsheet to calculate the allocations to each school district. The spreadsheet did not include the allocation percentages for the 30% tranche (i.e., allocation of grant funding based on the school district population of individuals aged 5 through 17). Oversight was lacking to identify the allocation error in a timely manner. Effect: Noncompliance with federal rules and regulations relating to the allocation of grants to Local Education Agencies. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-045 Enhance internal controls over the allocation of CTE grants to LEAs to ensure the allocations are calculated in accordance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-046 (material noncompliance / material weakness – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2022 Federal Award Number: V048A210039 - 21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Eligibility ELIGIBILITY RIDE did not reallocate unspent Career and Technical Education (CTE) grants in accordance with Section 133(b) of Perkins V. Criteria: Section 133(b) of Perkins V (20 USC 2353) requires the State Education Agency (SEA) to reallocate unspent funds in the academic year based on Section 131(a) of Perkins V (20 USC 2351) which requires the State Education Agency (SEA) to distribute funds to Local Education Agencies (LEA) in two tranches as follows: • The first tranche accounts for 30% of the grant award and is allocated based on the population of individuals aged 5 through 17 residing in the school district as a percentage of the total individuals aged 5 through 17 in all school districts. • The second tranche accounts for 70% of the grant award and is allocated based on the population of individuals aged 5 through 17 who are from families below the poverty level residing in the school district as a percentage of the total individuals aged 5 through 17 who are from families below the poverty level residing in all school districts. Condition: The department’s reallocation of unspent fiscal year 2022 CTE grants ($2.7 million) during fiscal year 2023 was not performed in accordance with Section 133(b) of Perkins V. The department in essence allowed the LEAs to keep and spend the funds until the expiration of the 27-month obligation period. This caused 22 LEAs to be allocated less than required by federal regulations and 14 LEAs being allocated more than allowed by federal regulation. Cause: The CTE Board of Trustees implemented rules regarding unspent funds to rollover to the LEAs until the expiration of the 27-month obligation period which did not comply with federal rules and regulations. Effect: Noncompliance with federal rules and regulations causing an improper allocation of grants to Local Education Agencies. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-046a Amend the reallocation of unspent funds during the academic year in accordance with Section 131(a) of Perkins V. 2023-046b Enhance controls and revise policies over the allocation of CTE grants to LEAs, to ensure the reallocations are calculated in accordance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-047 (other noncompliance / material weakness – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Matching, Level of Effort, Earmarking LEVEL OF EFFORT – SUPPLEMENT NOT SUPPLANT RIDE did not ensure the Local Education Agencies (LEAs) supplemented and not supplanted federal funding for Career and Technical Education (CTE). Criteria: The State Education Agency (SEA) and its subrecipients may use funds for career and technical education activities that supplement, and not supplant, non-federal funds expended to carry out career and technical education activities (Section 211(a) of Perkins V (20 USC 2391(a))). Condition: RIDE does not have documentation supporting its efforts to ensure compliance with Supplement Not Supplant. Currently, the department reviews the LEAs federal budget information related to CTE through Accelegrants prior to the allocation of grants funds. This information does not include State or local funds being used for the program, which limits RIDE’s ability to ensure compliance with supplement not supplant. Cause: Absence of adequate policies, procedures, and documentation to ensure compliance with federal requirements. Effect: The LEA(s), and consequently the department, may not be in compliance with federal regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-047 Enhance internal controls over LEA supplement not supplant requirements by creating policies and procedures designed specifically for the CTE program. Additionally, ensure adequate documentation is maintained by the department to support such compliance. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-048 (other noncompliance / material weakness – new finding) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Subrecipient Monitoring STATE MONITORING OF ELIGIBLE RECIPIENTS RIDE did not conduct an annual evaluation of local adjusted levels of career and technical education activity performance for eligible recipients, nor did it implement improvement plans for subrecipients that failed to meet at least 90 percent of agreed upon local level of performance for any of the core indicators of performance. Criteria: Each state must evaluate annually, using the local adjusted levels of performance described in Section 113(b)(4) of Perkins V (20 USC 2323(b)(4)), the career and technical education activities of each eligible recipient receiving funds under Sections 131 and 132 of Perkins V (Section 123(b)(1) of Perkins V (20 USC 2343(b)(1))). The state determines whether a subrecipient failed to meet at least 90 percent of an agreed-upon local level of performance for any of the core indicators of performance described in Section 113(b)(4) of Perkins V for all CTE concentrators and, if so, requires the subrecipient to develop and implement the improvement plan required by Section 123(b)(2) of Perkins V (20 USC 2343(b)(2)). The state must require eligible subrecipients to include the levels of performance for each of the core indicators of performance in their local applications as required by Section 113(b)(4)(A)(ii) and disaggregated performance reporting as required by Section 113(b)(4)(B)(ii) of Perkins V. Condition: RIDE did not perform an evaluation of local level of performance for core indicators required by federal regulations. Cause: Absence of policies and procedures to ensure compliance with federal requirements. Effect: Noncompliance with federal rules and regulations. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-048a Develop and promulgate policies and procedures for the evaluation of subrecipient performance and the development and implementation of subrecipient improvement plans in compliance with federal requirements. 2023-048b Ensure subrecipients include the levels of performance for each of the core indicators of performance in their local applications as required by Section 113(b)(4)(A)(ii) and disaggregated performance reporting as required by Section 113(b)(4)(B)(ii) of Perkins V. 2023-048c Enhance internal controls over subrecipient monitoring to ensure compliance with state monitoring of eligible recipients. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-044 (significant deficiency – repeat finding – 2022-056) TITLE I GRANTS TO LOCAL EDUCATION AGENCIES – 84.010 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: S010A220039 – 22A Administered by: Rhode Island Department of Education (RIDE) CAREER AND TECHNICAL EDUCATION – BASIC GRANTS TO STATES – 84.048 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Year: 2023 Federal Award Number: V048A220039 - 22A Administered by: Rhode Island Department of Education (RIDE) EDUCATION STABILIZATION FUND – 84.425B, 84.425C, 84.425D, 84.425U, 84.425W, 84.425V Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2020 and 2021 Federal Award Numbers: S425B200026, S425C210028, S425D210046, S425U21046-21A, S425V210010, S425W210041-21A Administered by: Rhode Island Department of Education (RIDE) Compliance Requirement: Activities Allowed or Unallowed ACTIVITIES ALLOWED OR UNALLOWED Information technology (IT) security controls over the Accelegrants system need improvement to protect reliability of the system data used to administer federal compliance. Background: The Local Education Agencies (LEAs) generate and submit their Consolidated Resource Plan (CRP) to the Rhode Island Department of Education (RIDE) through the Accelegrants System – an application provided by a third-party vendor. Using this information, RIDE allocates the State’s allotted funding for the Title I Grants to Local Education Agencies, Education Stabilization Fund, and Career and Technical Education- Basic Grants to States programs amongst the LEAs. Additionally, the LEAs submit their requests for federal reimbursement through Accelegrants. The State allocation of Title I federal funding is reliant on the data reported in Accelegrants. Criteria: Management should ensure that systems critical to the administration of federal programs comply with IT security industry standards and best practices. The State has adopted such practices through its Division of Enterprise Technology Strategy and Services for agencies to comply with. IT security industry standards and best practices dictate that proper access management is essential for any application processing electronic data. Access management should be in place within the Accelegrants application to ensure the proper protection and integrity of RIDE data. A critical part of access management is to ensure the timely adjustment of access privileges or removal of system access altogether for users who either transfer or terminate employment. In addition, it is vital that oversight of the vendor activities is maintained for the agency to be able to rely on the software application vendor for system security and availability. Condition: Our evaluation of RIDE’s information systems security management noted several areas in need of improvement. Efforts are needed to provide a comprehensive approach to critical system security requirements that addresses the following: • Access Management: o There was no documented process to either request or track user account changes (including additions, deletions, and privilege changes). o Due to a lack of a formal user account request and tracking process, it could not be determined whether user access was appropriate or removed timely. Our review of user access, as of April 2023, noted a significant number of inactive users, several with inactivity for more than a year, whose access had not been removed. o There was no documented periodic review of either user access or privileges to validate whether the granted access was still appropriate during fiscal 2023. • SOC 2 Complementary User Entity Controls – There was no documented evidence of agency assessment or consideration of complementary user entity controls that were specified in the vendor provided SOC 2 report. • Vendor Management – There was no evidence provided of agency IT vendor management oversight to ensure vendor conformance with industry standards and best practices. The agency has no method to document and review the SOC 2 report provided by the vendor. Our follow-up on user access and privileges after year-end suggested that RIDE made progress in updating privileges and removing user access. However, RIDE did not document that process in a manner that allowed for evaluation. Although RIDE also developed policies and procedures relating to controls over user access and the consideration of complementary user entity controls relating to Accelegrants, these policies and procedures were not implemented until fiscal year 2024. Cause: Lack of dedicated agency resources and documentation relating to information systems security and the consideration of complementary user entity controls. Effect: Limited monitoring of user access results in a weakening of application and data security which undermines data integrity in program administration. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-044a Enhance internal controls and timeframes to ensure prompt termination of system access when employees leave or change functions. Document occurrences of timely reviews of access privileges to determine if access is appropriate. 2023-044b Review vendor identified complementary user entity controls specified in the vendor SOC 2 report and maintain the agency response as to relevance and how they are being addressed. 2023-044c Implement basic agency IT Vendor Management oversight to ensure conformance with industry standards and best practices. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-033 (other noncompliance / significant deficiency – repeat finding – 2022-059) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019-2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles TIME AND EFFORT REPORTING RIDOH can enhance controls over time and effort reporting to ensure accurate allocations and reimbursements from federal programs. Background: RIDOH has built a robust, yet complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State’s payroll system and accounting system is performed on a quarterly basis. Amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time charged to various programs. Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(i)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. While RIDOH was able to provide timesheets for all selected pay periods, for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 6 of the 80 selected weekly timesheets lacked a supervisor signature. This was considered a control deficiency, but not noncompliance since the employee reported time and effort which supported allocation to the ELC program. • One individual noted in our ELC payroll sample (4 weekly time sheets) did not have their recorded payroll adjusted through the subsequent quarterly entry to accurately reflect work performed on federal programs. This resulted in payroll costs being overallocated to the ELC program (questioned costs - $3,355). • For both ELC and the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), we noted time and effort recorded to generalized timesheet category codes (i.e., Administrative Support, Finance and Operations, ICS – Incident Command System) lacked sufficient detail (i.e., underlying activity performed in support of related category code) to support its specific federal program allocation. Questioned costs could not be determined due to the lack of time and effort detail reported. Cause: Policies and procedures were ineffective to ensure amounts claimed and reimbursed by federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet detail prevented direct verification of recorded timesheet activities to the underlying charges on federal programs. Effect: Personnel costs reimbursed from federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: $3,355 (ELC – 93.323) Valid Statistical Sampling: Yes RECOMMENDATION 2023-033 Enhance weekly reporting of time and effort to improve documentation and support for personnel costs charged to federal programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-049 (other noncompliance / significant deficiency – repeat finding – 2022-038) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirement: Reporting FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for certain programs audited during fiscal 2023. In our testing of compliance with FFATA, we noted the following exceptions: [See Schedule of Findings and Questioned Costs for table.] While the State has conducted training for the various departments and agencies, procedures at the department level to ensure FFATA reporting requirements are met have not been implemented. Cause: Controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: RIDOH did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2023-049 Establish policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-033 (other noncompliance / significant deficiency – repeat finding – 2022-059) WIC SPECIAL SUPPLEMENTAL NUTRITION PROGRAM FOR WOMEN, INFANTS AND CHILDREN – 10.557 Federal Awarding Agency: U.S. Department of Agriculture (USDA), Food and Nutrition Service Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 224RI705W1003, 224RI705W1006, 234RI705W1003, 234RI705W1006 Administered by: Rhode Island Department of Health (RIDOH) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019-2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirements: Allowable Costs/Cost Principles TIME AND EFFORT REPORTING RIDOH can enhance controls over time and effort reporting to ensure accurate allocations and reimbursements from federal programs. Background: RIDOH has built a robust, yet complex, time reporting worksheets for employees to allocate their time spent on various activities during the week. Reconciliation of the hours worked versus the hours charged to the State’s payroll system and accounting system is performed on a quarterly basis. Amounts recorded are adjusted accordingly to ensure charges in the accounting system are consistent with actual time charged to various programs. Criteria: 45 CFR §75.430(i)(1) and 2 CFR §200.430(i)(1) require that “Charges to Federal awards for salaries and wages must be based on records that accurately reflect the work performed.” Condition: Our review of personnel costs identified the following deficiencies that weaken controls over the allowability of personnel expenditures: • Amounts allocated to federal programs for personnel costs were not consistently supported by properly signed and reviewed timesheets. While RIDOH was able to provide timesheets for all selected pay periods, for the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, 6 of the 80 selected weekly timesheets lacked a supervisor signature. This was considered a control deficiency, but not noncompliance since the employee reported time and effort which supported allocation to the ELC program. • One individual noted in our ELC payroll sample (4 weekly time sheets) did not have their recorded payroll adjusted through the subsequent quarterly entry to accurately reflect work performed on federal programs. This resulted in payroll costs being overallocated to the ELC program (questioned costs - $3,355). • For both ELC and the Special Supplemental Nutrition Program for Women, Infants and Children (WIC), we noted time and effort recorded to generalized timesheet category codes (i.e., Administrative Support, Finance and Operations, ICS – Incident Command System) lacked sufficient detail (i.e., underlying activity performed in support of related category code) to support its specific federal program allocation. Questioned costs could not be determined due to the lack of time and effort detail reported. Cause: Policies and procedures were ineffective to ensure amounts claimed and reimbursed by federal programs for personnel costs were reflective of the actual work performed on the various programs/projects listed. The State’s lack of sufficient timesheet detail prevented direct verification of recorded timesheet activities to the underlying charges on federal programs. Effect: Personnel costs reimbursed from federal awards could be unallowable due to insufficient support and documentation. Questioned Costs: $3,355 (ELC – 93.323) Valid Statistical Sampling: Yes RECOMMENDATION 2023-033 Enhance weekly reporting of time and effort to improve documentation and support for personnel costs charged to federal programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-049 (other noncompliance / significant deficiency – repeat finding – 2022-038) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) Compliance Requirement: Reporting FEDERAL FUNDING ACCOUNTABILITY AND TRANSPARENCY ACT (FFATA) Controls over reporting of subawards to a federal transparency website can be enhanced to ensure accurate reporting in compliance with the requirements of FFATA. Criteria: The Federal Funding Accountability and Transparency Act (Public Law 109-282; as amended by Section 6202 of Public Law 110-252), as codified in 2 CFR Part 170, requires recipients of grants and cooperative agreements to report first-tier subawards of $30,000 or more to the Federal Funding Accountability and Transparency Act Subaward Reporting System (FSRS). Condition: Subaward information entered into the FSRS, made publicly available via USASpending.gov, was not inclusive of all subawards made for certain programs audited during fiscal 2023. In our testing of compliance with FFATA, we noted the following exceptions: [See Schedule of Findings and Questioned Costs for table.] While the State has conducted training for the various departments and agencies, procedures at the department level to ensure FFATA reporting requirements are met have not been implemented. Cause: Controls and monitoring efforts have not been established to ensure compliance with FFATA reporting requirements. Effect: RIDOH did not sufficiently comply with the reporting requirements of FFATA. Questioned Costs: None Valid Statistical Sample: Not Applicable RECOMMENDATION 2023-049 Establish policies and procedures to ensure accurate and timely reporting of subawards in accordance with FFATA. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-050 (significant deficiency– repeat finding – 2022-052) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FUNDING SOURCES OR FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one funding source or award under federal programs with similar pandemic response related objectives. Reconciliation of accounting records to align program revenues with federal revenues received were not fully completed at fiscal year-end. Background: The State has received an unprecedented amount of federal assistance to respond to the effects of the global health pandemic. Included in this assistance were funds received from the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, among others. Certain costs were eligible for reimbursement under multiple programs and funding sources. Expenditures were often applied to one funding source and then subsequently adjusted to another funding source as federal guidelines changed and the end of the period of availability drew near for multiple awards. Due to the length of the pandemic, adjustments of program expenditures between federal programs or other funding sources overlapped fiscal years at times. Criteria: Expenditures may only be reimbursed from one funding source or federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were sometimes charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity, however, the original transaction (expenditure/disbursement) remains in the account originally charged, offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2023, we noted the following adjustments to financial activity supporting the cited control deficiency: • Approximately $1.0 million in expenditures were adjusted from ELC to FEMA, and another $1.8 million from restricted funding sources to ELC. • Approximately $2.1 million was adjusted from various federal programs and non-federal accounts to FEMA’s Disaster Grants program and another $6.6 million from FEMA’s Disaster Grants program to various federal programs and other non-federal expenditure accounts. The State implemented a reconciliation process to account for, and adjust as necessary, federal program activity to align accounting records with actual final funding sources of the activities. Journal entries were processed in fiscal 2023 to adjust expenditures between federal and non-federal funding sources for prior and current year activity. While there was a significant decrease in the magnitude of the adjustments compared to prior years, reconciliations for all State agencies and departments were not fully completed at June 30, 2023. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one funding source or federal award. Effect: Potential duplicate reimbursement of expenditures from more than one funding source or federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-050a Ensure reconciliations and any required adjustments are complete to demonstrate that eligible pandemic-related program costs were not reimbursed from more than one funding source. 2023-050b Determine whether any program costs were reimbursed by multiple fundings sources. Return any related funds to the appropriate federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-042 (other matter / significant deficiency – new finding) STUDENT FINANCIAL ASSISTANCE CLUSTER – 84.007, 84.033, 84.038, 84.063, 84.268, 84.379, 93.342, 93.364 Federal Awarding Agency: U.S. Department of Education (ED) Federal Award Fiscal Years: 2022 to 2023 Federal Award Number: Not Applicable Administered by: University of Rhode Island (URI) Compliance Requirements: Special Tests & Provisions – Gramm-Leach-Bliley Act UNIVERSITY OF RHODE ISLAND – GRAMM-LEACH-BLILEY ACT Criteria: The Gramm-Leach-Bliley Act (GLBA) (Public Law 106-102) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. (16 CFR §314) The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the Gramm-Leach-Bliley Act (16 CFR §313.3(k)(2)(vi)). Entities must establish and maintain effective internal control over federal awards (2 CFR §200.303). Condition: Institutions are required to develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts. GLBA requires the information security program to have defined elements as defined at 16 CFR §314.4. During audit testing, it was noted the University did not have all the required elements. Context: During our testing of the University’s information security plan, we noted the following: • The University has a draft written information security plan titled 2.01 URI Information Security Program that is currently in draft form and has not been approved and formally implemented. Cause: Policies and controls did not ensure the draft comprehensive information security program was finalized and implemented on a timely basis. Effect: The University did not have a written final approved information security program in compliance with GLBA in place as of June 30, 2023. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-042 We recommend that the University approve and formally implement its information security program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-051 (other noncompliance / material weakness – repeat finding – 2022-061) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY FOR THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically relating to applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2023. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client-attested data through multiple electronic interfaces. Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. 45 CFR §205.60(a) requires “the State agency will maintain or supervise the maintenance of records necessary for the proper and efficient operation of the plan, including records regarding applications, determination of eligibility, the provision of financial assistance, and the use of any information obtained under §205.55, with respect to individual applications denied, recipients whose benefits have been terminated, recipients whose benefits have been modified, and the dollar value of these denials, terminations and modifications. Under this requirement, the agency will keep individual records which contain pertinent facts about each applicant and recipient. The records will include information concerning the date of application and the date and basis of its disposition; facts essential to the determination of initial and continuing eligibility (including the individual's social security number, need for, and provision of financial assistance); and the basis for discontinuing assistance.” The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file. Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State Plan, acceptable documentation for proof of residency includes rental receipt, lease agreement, utility bills, medical bills, bank statements, payroll statement, mortgage statement, car registration, city or town tax statement, and/or school records. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. Evaluations of exceptions relating to case documentation deficiencies, questioned costs, and consideration of noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] Exceptions resulting in eligibility being unsupported by case record (8 Exceptions – 11.7% error rate): • None of the required documentation supporting household residency was included in the case record for 7 sample households. • Signed recertification documents not scanned to the system (4 instances). For 3 of the cases without a completed recertification, the case file notes mention their completion. In 1 instance there was no documentation or case note (this case was included in reported questioned costs) supporting recertification. Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility): • Identification documents for all household members or other supporting case documents not scanned to the system (21 instances). Documentation deficiencies for critical eligibility requirements were noted in 11.7% of the cases we tested in fiscal 2023. While applicant attested information, in most cases, supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility. While our projection of test results did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance resulted from documentation deficiencies. Cause: Lack of supporting documentation included in the TANF case record and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant. Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program. Questioned Costs: $42,153 Valid Statistical Sampling: Yes RECOMMENDATION 2023-051 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-052 (other noncompliance / significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Activities Allowed or Unallowed CONTROLS OVER TRANSFERS TO THE SOCIAL SERVICE BLOCK GRANT (SSBG) DHS transferred an amount to the SSBG program that exceeded the federally allowed 10 percent of the TANF award for fiscal 2023. Criteria: The TANF block grant law provides that states may transfer up to 10 percent of their TANF grant to the SSBG (Title XX) program. Condition: As of June 30, 2023, DHS had been awarded $70,339,314 for FFY 2023. The amount recorded in the state’s accounting system in the two accounts assigned to transfers was $7,213,005, which exceeded the 10% limit by $179,074. Cause: Failure to monitor the amount transferred to SSBG to ensure compliance with federal regulations. Effect: Noncompliance with the SSBG transfer limit at June 30, 2023. Questioned Costs: $179,074 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-052 Monitor compliance with the federal 10% transfer limit prior to each transfer to the SSBG program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-051 (other noncompliance / material weakness – repeat finding – 2022-061) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY FOR THE TEMPORARY ASSISTANCE FOR NEEDY FAMILIES (TANF) PROGRAM Internal controls are lacking to ensure that TANF eligibility is supported by documentation required by program regulations. Documentation deficiencies, specifically relating to applicant residency, resulted in noncompliance with TANF eligibility requirements for fiscal 2023. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client-attested data through multiple electronic interfaces. Criteria: Federal regulation 45 CFR §260.20 requires that a family be needy in order to be eligible for TANF assistance and job preparation services. 45 CFR §205.60(a) requires “the State agency will maintain or supervise the maintenance of records necessary for the proper and efficient operation of the plan, including records regarding applications, determination of eligibility, the provision of financial assistance, and the use of any information obtained under §205.55, with respect to individual applications denied, recipients whose benefits have been terminated, recipients whose benefits have been modified, and the dollar value of these denials, terminations and modifications. Under this requirement, the agency will keep individual records which contain pertinent facts about each applicant and recipient. The records will include information concerning the date of application and the date and basis of its disposition; facts essential to the determination of initial and continuing eligibility (including the individual's social security number, need for, and provision of financial assistance); and the basis for discontinuing assistance.” The State’s policies and procedures require that documentation used to verify eligibility be maintained in the case file. Federal regulations define appropriate sources of documentation to verify TANF applicant data when determining TANF eligibility. Proof of residency is a requirement for TANF eligibility. According to the RI State Plan, acceptable documentation for proof of residency includes rental receipt, lease agreement, utility bills, medical bills, bank statements, payroll statement, mortgage statement, car registration, city or town tax statement, and/or school records. Condition: Documentation in RIBridges was insufficient to support eligibility in certain cases tested. Evaluations of exceptions relating to case documentation deficiencies, questioned costs, and consideration of noncompliance with eligibility requirements are based on documentation of critical household eligibility factors (income, residency, citizenship, valid social security number, birth certificates). If documentation omission was isolated in a case record and did not impact the substantial eligibility of the household, it was treated as an exception for control deficiency considerations only. [See Schedule of Findings and Questioned Costs for table.] Exceptions resulting in eligibility being unsupported by case record (8 Exceptions – 11.7% error rate): • None of the required documentation supporting household residency was included in the case record for 7 sample households. • Signed recertification documents not scanned to the system (4 instances). For 3 of the cases without a completed recertification, the case file notes mention their completion. In 1 instance there was no documentation or case note (this case was included in reported questioned costs) supporting recertification. Exceptions – nonconformance with established eligibility process and/or control procedures (control exception without impact on eligibility): • Identification documents for all household members or other supporting case documents not scanned to the system (21 instances). Documentation deficiencies for critical eligibility requirements were noted in 11.7% of the cases we tested in fiscal 2023. While applicant attested information, in most cases, supported applicant eligibility for TANF, the lack of required critical supporting documentation and the significant number of other documentation deficiencies noted were deemed to be a material weakness in internal control over TANF eligibility. While our projection of test results did not rise to the level of material noncompliance with TANF eligibility requirements, significant noncompliance resulted from documentation deficiencies. Cause: Lack of supporting documentation included in the TANF case record and insufficient procedures to ensure that critical case documentation is included in the case record prior to eligibility being approved for the applicant. Effect: Noncompliance with TANF eligibility requirements and/or documentation requirements mandated by DHS policy. Ineligible benefit payments claimed to the TANF program. Questioned Costs: $42,153 Valid Statistical Sampling: Yes RECOMMENDATION 2023-051 Improve policies and procedures to ensure that all required eligibility compliance requirements for TANF are documented within RIBridges. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-052 (other noncompliance / significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Activities Allowed or Unallowed CONTROLS OVER TRANSFERS TO THE SOCIAL SERVICE BLOCK GRANT (SSBG) DHS transferred an amount to the SSBG program that exceeded the federally allowed 10 percent of the TANF award for fiscal 2023. Criteria: The TANF block grant law provides that states may transfer up to 10 percent of their TANF grant to the SSBG (Title XX) program. Condition: As of June 30, 2023, DHS had been awarded $70,339,314 for FFY 2023. The amount recorded in the state’s accounting system in the two accounts assigned to transfers was $7,213,005, which exceeded the 10% limit by $179,074. Cause: Failure to monitor the amount transferred to SSBG to ensure compliance with federal regulations. Effect: Noncompliance with the SSBG transfer limit at June 30, 2023. Questioned Costs: $179,074 Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-052 Monitor compliance with the federal 10% transfer limit prior to each transfer to the SSBG program. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-055 (significant deficiency – new finding) LOW-INCOME HOME ENERGY ASSISTANCE – 93.568 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2201RILIEA and 2301RILIEA Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility EVALUATION OF CONTROLS OVER FUNCTIONS PERFORMED BY EXTERNAL SYSTEM See related Financial Statement Finding 2023-002. DHS can improve its consideration of controls over functions performed by the Hancock System by obtaining proper Service Organization Control (SOC) reports provided by the outside vendor. These are necessary and consistent with management’s responsibility for the overall adequacy of the design and operation of internal control. Background: The Low-Income Home Energy Assistance Program’s (LIHEAP) Hancock application is a cloud-based system that enables state offices to administer income eligible heating and energy assistance programs. The application is maintained by a vendor and is utilized both at the State level and within community action agencies. Criteria: Management has the responsibility to ensure the adequacy of the design and operation of key controls over the operation of the program to ensure compliance with LIHEAP regulations. A Service Organization Control (SOC) report provided by the vendor is one means, in part, of meeting management’s responsibility. Alternatively, monitoring and assessment procedures should be performed by DHS with assistance from the State’s Enterprise Technology Strategy and Services (ETSS). Per ETSS Policy 10-20: Passwords will have a minimum of eight (8) characters in length for standard user accounts and a minimum of fourteen (14) characters in length for privileged user accounts and passwords will not be identical to any of the previous twenty-four (24) passwords. Per ETSS Policy 10-10: The agency will disable non-privileged accounts after 90 days of inactivity and privileged accounts after 60 days of inactivity. Condition: DHS has not performed assessments of the accuracy and reliability of the system in determining eligibility and related benefits or considered information technology risks for the application. The system is integral to the operation of the program and to maintain compliance with federal program requirements. The vendor provides a SOC 2 Type 2 report, however, a review of this report and consideration of exceptions and recommended complementary user entity controls was not completed by the department. Additionally, Hancock LIHEAP system user passwords are only required to have a length of 6 characters and are allowed to repeat after 3 changes, which is not in compliance with the State's Enterprise Password Policy. The agency also has not performed user access reviews nor disabled accounts with more than 90 days of inactivity in accordance with the State’s Enterprise Access Policy. Cause: DHS has not performed sufficient monitoring of operating effectiveness and information technology risk assessment for the Hancock LIHEAP application. The agency has not completed a review of the SOC 2 Type 2 report or considered the exceptions and recommended complementary user entity controls presented in it. The password requirements and account management, specifically users who have not accessed the system in 90 days, do not comply with the State’s policies and procedures. Effect: Inattention to maintaining proper user access controls could result in unauthorized access to the system and potential fraud and noncompliance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-055a Ensure that service organization controls (SOC) reports are reviewed timely, and that proper documentation and review of the complementary user entity controls were performed using the existing Accounts and Control review form. 2023-055b Adhere to the State’s ETSS Policy and require password length to be 8 characters for standard users and 14 characters for privileged user accounts. Adhere to the State’s ETSS Policy and do not allow passwords to be identical to any of the previous 24 passwords. 2023-055c Perform periodic reviews of users and disable access to non-privileged accounts after 90 days and privileged accounts after 60 days. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-055 (significant deficiency – new finding) LOW-INCOME HOME ENERGY ASSISTANCE – 93.568 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2201RILIEA and 2301RILIEA Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility EVALUATION OF CONTROLS OVER FUNCTIONS PERFORMED BY EXTERNAL SYSTEM See related Financial Statement Finding 2023-002. DHS can improve its consideration of controls over functions performed by the Hancock System by obtaining proper Service Organization Control (SOC) reports provided by the outside vendor. These are necessary and consistent with management’s responsibility for the overall adequacy of the design and operation of internal control. Background: The Low-Income Home Energy Assistance Program’s (LIHEAP) Hancock application is a cloud-based system that enables state offices to administer income eligible heating and energy assistance programs. The application is maintained by a vendor and is utilized both at the State level and within community action agencies. Criteria: Management has the responsibility to ensure the adequacy of the design and operation of key controls over the operation of the program to ensure compliance with LIHEAP regulations. A Service Organization Control (SOC) report provided by the vendor is one means, in part, of meeting management’s responsibility. Alternatively, monitoring and assessment procedures should be performed by DHS with assistance from the State’s Enterprise Technology Strategy and Services (ETSS). Per ETSS Policy 10-20: Passwords will have a minimum of eight (8) characters in length for standard user accounts and a minimum of fourteen (14) characters in length for privileged user accounts and passwords will not be identical to any of the previous twenty-four (24) passwords. Per ETSS Policy 10-10: The agency will disable non-privileged accounts after 90 days of inactivity and privileged accounts after 60 days of inactivity. Condition: DHS has not performed assessments of the accuracy and reliability of the system in determining eligibility and related benefits or considered information technology risks for the application. The system is integral to the operation of the program and to maintain compliance with federal program requirements. The vendor provides a SOC 2 Type 2 report, however, a review of this report and consideration of exceptions and recommended complementary user entity controls was not completed by the department. Additionally, Hancock LIHEAP system user passwords are only required to have a length of 6 characters and are allowed to repeat after 3 changes, which is not in compliance with the State's Enterprise Password Policy. The agency also has not performed user access reviews nor disabled accounts with more than 90 days of inactivity in accordance with the State’s Enterprise Access Policy. Cause: DHS has not performed sufficient monitoring of operating effectiveness and information technology risk assessment for the Hancock LIHEAP application. The agency has not completed a review of the SOC 2 Type 2 report or considered the exceptions and recommended complementary user entity controls presented in it. The password requirements and account management, specifically users who have not accessed the system in 90 days, do not comply with the State’s policies and procedures. Effect: Inattention to maintaining proper user access controls could result in unauthorized access to the system and potential fraud and noncompliance with program requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-055a Ensure that service organization controls (SOC) reports are reviewed timely, and that proper documentation and review of the complementary user entity controls were performed using the existing Accounts and Control review form. 2023-055b Adhere to the State’s ETSS Policy and require password length to be 8 characters for standard users and 14 characters for privileged user accounts. Adhere to the State’s ETSS Policy and do not allow passwords to be identical to any of the previous 24 passwords. 2023-055c Perform periodic reviews of users and disable access to non-privileged accounts after 90 days and privileged accounts after 60 days. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-056 (other noncompliance / material weakness – repeat finding – 2022-062) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER CHILD CARE ELIGIBILITY Controls over Child Care program eligibility, specifically relating to ensuring that required documentation is included in case records in support of eligibility determinations needs improvement. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the Child Care program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)). Condition: Documentation supporting Child Care program eligibility was not found in 3 of 40 sample cases reviewed, resulting in a 7.5% error rate. While this error rate did not represent material noncompliance with Child Care eligibility requirements, it did represent a material weakness in internal controls resulting in significant program noncompliance. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Improved controls including systemic controls that require validation of critical documentation requirements, monitoring to ensure that cases are recertified annually, and worker training or quality control aids should be considered. Cause: RIBridges does not prevent a case from being approved for eligibility when required documentation is omitted. Failure to document critical eligibility requirements (i.e., income validation, annual recertification) resulted in noncompliance due to unsupported eligibility. Effect: Noncompliance with Child Care program eligibility requirements. Questioned Costs: $14,904 Valid Statistical Sampling: Yes RECOMMENDATION 2023-056 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-056 (other noncompliance / material weakness – repeat finding – 2022-062) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER CHILD CARE ELIGIBILITY Controls over Child Care program eligibility, specifically relating to ensuring that required documentation is included in case records in support of eligibility determinations needs improvement. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the Child Care program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)). Condition: Documentation supporting Child Care program eligibility was not found in 3 of 40 sample cases reviewed, resulting in a 7.5% error rate. While this error rate did not represent material noncompliance with Child Care eligibility requirements, it did represent a material weakness in internal controls resulting in significant program noncompliance. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Improved controls including systemic controls that require validation of critical documentation requirements, monitoring to ensure that cases are recertified annually, and worker training or quality control aids should be considered. Cause: RIBridges does not prevent a case from being approved for eligibility when required documentation is omitted. Failure to document critical eligibility requirements (i.e., income validation, annual recertification) resulted in noncompliance due to unsupported eligibility. Effect: Noncompliance with Child Care program eligibility requirements. Questioned Costs: $14,904 Valid Statistical Sampling: Yes RECOMMENDATION 2023-056 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-053 (significant deficiency – new finding) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Year: 2023 Federal Award Number: G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Reporting CONTROLS OVER FINANCIAL REPORTING Federal reports for both TANF and Childcare did not agree to underlying documentation. Criteria: Federal reports should include all activity of the period, be supported by applicable accounting or performance records, and be fairly presented in accordance with governing requirements. Condition: Three out of four TANF and two of four Childcare quarterly financial reports contained errors in at least one line item that went undetected by DHS. The summary documents provided as support did not agree to the underlying data. Cause: DHS did not perform quarterly reconciliations of federal reports to the State accounting system. In addition, supervisory review of federal reports was not documented. Effect: Federal reporting errors were made and not identified and corrected. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-053 Maintain documentation for each report as submitted. Perform a secondary review to ensure that reports agree to supporting documentation and reconcile to the accounting system. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-056 (other noncompliance / material weakness – repeat finding – 2022-062) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) Compliance Requirement: Eligibility CONTROLS OVER CHILD CARE ELIGIBILITY Controls over Child Care program eligibility, specifically relating to ensuring that required documentation is included in case records in support of eligibility determinations needs improvement. Background: RIBridges is the State’s federally approved computer system used to manage multiple health care and human service programs. It was designed to allow for integrated eligibility across programs, enhanced client accessibility, and periodic validation of client attested data through multiple electronic interfaces. RIBridges determines eligibility for a childcare subsidy and the amount of parental co-pay based on family income and family size. Payments to licensed childcare providers are made through RIBridges. RIBridges is the official source of recipient eligibility documentation for the Child Care program. Criteria: Lead agencies must have in place procedures for documenting and verifying eligibility in accordance with federal requirements, as well as the specific eligibility requirements selected by each State in its approved plan. A lead agency is the designated State, territorial or tribal entity to which the CCDF grant is awarded and that is accountable for administering the CCDF program. Lead agencies shall establish a sliding fee scale, based on family size, income, and other appropriate factors, that provides for cost sharing by families that receive CCDF childcare services (45 CFR §98.45(k)). Lead agencies may exempt families below the poverty line from making copayments and shall establish a payment rate schedule for childcare providers caring for subsidized children (45 CFR §98.45(k)(4)). Condition: Documentation supporting Child Care program eligibility was not found in 3 of 40 sample cases reviewed, resulting in a 7.5% error rate. While this error rate did not represent material noncompliance with Child Care eligibility requirements, it did represent a material weakness in internal controls resulting in significant program noncompliance. The complete details of our testing are presented in the following table: [See Schedule of Findings and Questioned Costs for table.] Improved controls including systemic controls that require validation of critical documentation requirements, monitoring to ensure that cases are recertified annually, and worker training or quality control aids should be considered. Cause: RIBridges does not prevent a case from being approved for eligibility when required documentation is omitted. Failure to document critical eligibility requirements (i.e., income validation, annual recertification) resulted in noncompliance due to unsupported eligibility. Effect: Noncompliance with Child Care program eligibility requirements. Questioned Costs: $14,904 Valid Statistical Sampling: Yes RECOMMENDATION 2023-056 Improve controls over CCDF eligibility determinations by ensuring consistent inclusion of eligibility documentation in the electronic case record. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-057 (other noncompliance / material weakness – repeat finding – 2022-064) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP) Operational and system deficiencies, including eligibility processing modifications implemented due to PHE regulations and policy modifications, resulted in noncompliance with federal regulations relating to CHIP eligibility. Background: Medical benefit expenditures claimed to CHIP totaled $152.3 million in fiscal 2023. Most benefit expenditures represented managed care capitation payments. Certain modifications to program eligibility requirements remained in place as the public health emergency (PHE) declaration remained in effect for most of fiscal 2023. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the PHE limitations described above, were largely unchanged during fiscal 2023. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $2.7 million) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2023, we tested a sample of 60 CHIP eligible members (capitation payments totaling $148,500, federal share - $106,920, for the members tested) for compliance with program eligibility requirements. Total capitation claimed to CHIP totaled $118.2 million (federal share - $85.1 million) during fiscal 2023. Our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP: • Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking in 3 out of 60 cases. Our review of SWICA data provided by the RI Department of Labor and Training noted income which would have determined 2 of the 3 cases ineligible had it reported properly in RIBridges. These exceptions are being classified as income documentation deficiencies in these cases only (not questioned or considered noncompliance) as PHE restrictions would have allowed these cases to remain eligible in fiscal 2023 regardless of the excess income determination. • A member voluntarily withdrew from the CHIP program but was not disenrolled from the program in 1 out of 60 cases (questioned costs - $710). In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent, found 643 members charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2023 for those members totaled $1,326,407 (questioned costs - $955,013). During fiscal 2023, the State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, it was not possible to evaluate the effectiveness of this system functionality since changes in eligibility during the PHE, in many instances, were not being communicated to the MMIS. Program controls to ensure that CHIP children are aged out of CHIP do not ensure that CHIP claiming meets federal requirements. An analysis of children charged to CHIP during fiscal 2023 age 19 or older noted 3,070 individuals with benefits claimed to CHIP. While most of these individuals likely remained eligible for CHIP under PHE restrictions that required states to maintain eligibility during the PHE period, our analysis identified 37 individuals that turned 19 before the start of the PHE and no longer qualified for CHIP claiming. Capitation paid during fiscal 2023 for these 37 individuals totaled $124,855 (questioned costs - $89,896). In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule, which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were found to be ineffective. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. Lastly, we identified instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with CHIP aid categories during periods within fiscal 2023. Our analysis found that the coding error likely impacted 177 cases within CHIP during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage) or insufficient documentation supporting eligibility within the case record (i.e., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $1,045,619 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-057a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration) which weaken controls and result in noncompliance with federal regulations regarding CHIP eligibility. 2023-057b Identify ineligible CHIP costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-057 (other noncompliance / material weakness – repeat finding – 2022-064) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER ELIGIBILITY DETERMINATIONS WITHIN THE CHILDREN’S HEALTH INSURANCE PROGRAM (CHIP) Operational and system deficiencies, including eligibility processing modifications implemented due to PHE regulations and policy modifications, resulted in noncompliance with federal regulations relating to CHIP eligibility. Background: Medical benefit expenditures claimed to CHIP totaled $152.3 million in fiscal 2023. Most benefit expenditures represented managed care capitation payments. Certain modifications to program eligibility requirements remained in place as the public health emergency (PHE) declaration remained in effect for most of fiscal 2023. Criteria: Eligibility requirements for CHIP are detailed in the State Plan. Recipient eligibility requirements generally include children under age 19 with household income less than 261% of the federal poverty level (FPL). Coverage of pregnant women and unborn children of non-citizens is also available under CHIP for members with household income less than 253% of FPL. Enhanced funding under CHIP is available only for children without existing health coverage. Children with existing health coverage are eligible for Medical Assistance. Condition: Controls over CHIP eligibility determinations, except for the PHE limitations described above, were largely unchanged during fiscal 2023. While most CHIP eligibility was identified through RIBridges, EOHHS identified additional CHIP claiming (approximately $2.7 million) through querying the MMIS for members meeting CHIP characteristics but not coded as CHIP eligible by RIBridges. Utilizing two separate claiming mechanisms continues to weaken controls over CHIP eligibility. For fiscal 2023, we tested a sample of 60 CHIP eligible members (capitation payments totaling $148,500, federal share - $106,920, for the members tested) for compliance with program eligibility requirements. Total capitation claimed to CHIP totaled $118.2 million (federal share - $85.1 million) during fiscal 2023. Our testing noted the following noncompliance and documentation deficiencies with eligibility requirements for CHIP: • Documentation supporting income (e.g., electronic State Wage & Information Collection Agency (SWICA) validation or applicant submitted documentation (i.e., paystubs)) was lacking in 3 out of 60 cases. Our review of SWICA data provided by the RI Department of Labor and Training noted income which would have determined 2 of the 3 cases ineligible had it reported properly in RIBridges. These exceptions are being classified as income documentation deficiencies in these cases only (not questioned or considered noncompliance) as PHE restrictions would have allowed these cases to remain eligible in fiscal 2023 regardless of the excess income determination. • A member voluntarily withdrew from the CHIP program but was not disenrolled from the program in 1 out of 60 cases (questioned costs - $710). In addition to noncompliance reported above, the State continued to claim CHIP enhanced reimbursement for children with existing third-party health insurance coverage. Our analysis of members charged to CHIP against a file of validated health insurance coverage provided by the Medicaid fiscal agent, found 643 members charged to CHIP that had verified other private insurance for the entire fiscal year. Capitation payments made in fiscal 2023 for those members totaled $1,326,407 (questioned costs - $955,013). During fiscal 2023, the State implemented system changes to RIBridges, designed to prevent children with existing health coverage from being coded CHIP eligible; however, it was not possible to evaluate the effectiveness of this system functionality since changes in eligibility during the PHE, in many instances, were not being communicated to the MMIS. Program controls to ensure that CHIP children are aged out of CHIP do not ensure that CHIP claiming meets federal requirements. An analysis of children charged to CHIP during fiscal 2023 age 19 or older noted 3,070 individuals with benefits claimed to CHIP. While most of these individuals likely remained eligible for CHIP under PHE restrictions that required states to maintain eligibility during the PHE period, our analysis identified 37 individuals that turned 19 before the start of the PHE and no longer qualified for CHIP claiming. Capitation paid during fiscal 2023 for these 37 individuals totaled $124,855 (questioned costs - $89,896). In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule, which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were found to be ineffective. The amount of capitation paid for CHIP members no longer residing in the State was not determinable during our audit period. Lastly, we identified instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with CHIP aid categories during periods within fiscal 2023. Our analysis found that the coding error likely impacted 177 cases within CHIP during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Cause: Noncompliance with CHIP eligibility requirements was caused by CHIP specific programming deficiencies within RIBridges (e.g., interface validations not operating as designed, failure to limit claiming for children with third-party health insurance coverage) or insufficient documentation supporting eligibility within the case record (i.e., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for CHIP. Questioned Costs: $1,045,619 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-057a Address and correct the RIBridges system deficiencies (e.g., citizenship and income validation, TPL consideration) which weaken controls and result in noncompliance with federal regulations regarding CHIP eligibility. 2023-057b Identify ineligible CHIP costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-064 (other noncompliance / material weakness – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER MEDICAID ELIGIBILITY Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Background: RIBridges, the State’s computer system used to manage multiple federally funded human service programs, determines eligibility for Medicaid. The COVID-19 public health emergency (PHE), which continued until May 2023, restricted States from modifying recipient eligibility during the PHE, except for certain circumstances (i.e., death, relocation out of State, voluntary member withdrawal). Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver). 42 CFR sections 435.940 through 435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan. 42 CFR §435.916 requires the periodic renewal of recipient Medicaid eligibility. The 12-month renewal period mandated for MAGI-eligible recipients pertains to the majority of Medicaid and CHIP recipients in Rhode Island. Condition: For fiscal 2023, we tested a sample of 60 Medicaid eligible members (capitation payments totaling $240,129, federal share - $172,893, for the members tested) claimed for compliance with program eligibility. Total capitation payments claimed to Medicaid totaled $1.8 billion (federal share - $1.3 billion) during fiscal 2023. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically: • Inconsistencies with the operation of the State Wage Information Collection Agency (SWICA) interface were noted in 2 out of 60 cases (questioned costs - $2,007). Eligibility determinations in these cases were post-PHE and actual reported SWICA income would have made the members ineligible for Medicaid. • A member was determined ineligible in RIBridges beginning 11/1/2019 (pre-PHE) but has remained continuously eligible on Medicaid (questioned costs - $5,443). • Documentation supporting income (e.g., electronic SWICA validation or applicant submitted documentation (i.e., paystubs)) was lacking in 4 out of 60 cases. Since we were able to perform alternative procedures to validate reported income to SWICA data provided by the Department of Labor and Training, these cases were not deemed to be noncompliance as reported household income would have made these members eligible for Medicaid. As noted above, eligibility was determined to be incorrect or unsupported in 3 of 60 sample members tested (5% error rate). Total questioned costs identified during our testing were $7,450. In addition to noncompliance reported above, the State continued to claim Medicaid Expansion enhanced reimbursement (90% FMAP (Federal Medical Assistance Percentage)) for certain members older than 65 during fiscal 2023. While PHE requirements allowed members to remain eligible on Medicaid, states needed to redetermine eligibility for these members upon reaching age 65 to see if they were eligible for a different Medicaid eligibility category. In conjunction with our Medicaid eligibility testing, we tested a random sample of 23 Medicaid Expansion members over the age of 65 for redetermination by the State. Our testing found that 11 out of the 23 members tested turned age 65 prior to the PHE period beginning in March 2020, thus enhanced federal reimbursement should have ended upon turning age 65 (questioned costs - $79,946). Since redetermination was not performed, we could not determine if the individual would have remained qualified for Medicaid. Our analysis identified 158 members based on date of birth that should have aged out of Medicaid expansion prior to the start of the PHE. During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2023 to determine the State’s timeliness of terminating eligibility for deceased members. The “Do Not Pay” service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 3,298 deceased members still active on Medicaid at June 30, 2023. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2023 subsequent to the month of death is summarized as follows: [See Schedule of Findings and Questioned Costs for table.] Controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length that payments are continuing is significant and could span managed care contract settlement periods. Under federal regulations, capitation payments for deceased members would be considered an ineligible payment of federal funds. While we noted instances where RI Medicaid was recouping capitation once death was recorded in the MMIS for certain cases, the length of time that managed care capitation was continuing is indicative that system controls were not effective in terminating coverage in a timely manner. A detailed review of some of these cases noted that RIBridges was aware of the date of death, but eligibility was still active or pending closure. In many cases, the date of death reporting was not communicating to the MMIS resulting in continued capitation payments. The amounts included above had active eligibility at June 30, 2023 and capitation had not been recouped during fiscal 2023. Of the 3,298 members identified as deceased, 521 had reported dates of death older than two years. Based on our June 30, 2023 evaluation, estimated questioned costs for capitation payments made for deceased individuals totaled $5,125,758, pending recoupment of capitation payments to managed care organizations and the transportation provider. In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were ineffective. The amount of capitation paid for Medicaid members no longer residing in the State was not determinable for our audit period. Lastly, we identified some instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with Medicaid aid categories during certain periods within fiscal 2023. Our analysis found that the coding error likely impacted 373 cases within Medicaid during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid. Questioned Costs: $5,213,154 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-064a Address and correct the RIBridges system deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, Death reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility. 2023-064b Enhance controls over the identification of deceased members and members that have relocated out-of-State to minimize ineligible benefit payments within the Medicaid program. 2023-064c Identify ineligible Medicaid costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-065 (other noncompliance / significant deficiency – repeat finding – 2022-073) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles SERVICES PROVIDED TO CHILDREN IN THE STATE’S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State’s custody were not charged to Medicaid in fiscal 2023 in accordance with the methodology approved in the State Plan. Controls over other services provided to children in the State’s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and identifies requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology was approved by the Centers for Medicare and Medicaid Services (CMS) in fiscal 2023. Criteria: Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. The Medicaid State Plan stipulates a cost reimbursement methodology for establishment of reimbursement rates for PRTF service providers. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State’s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change, in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception of PRTF services based on the new methodology (determined through provider budget submission). CMS approved a State Plan amendment for a cost reimbursement methodology during fiscal 2023. PRTF services during fiscal 2023 continued to be reimbursed through an unapproved methodology. DCYF was reimbursed approximately $5.4 million for PRTF services provided to children in the State’s custody during fiscal 2023. During our audit, we also noted that approximately $20 million in other services to children in the State’s custody (referred to as manual billings by DCYF) are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims directly to the MMIS for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2023 were not based on the specific cost reimbursement methodology approved in the State plan. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-065a Reprocess claims for PRTF services to ensure that the provider is reimbursed based on the allowable cost reimbursement methodology and return any ineligible amounts to the federal grantor. 2023-065b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-066 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER STATE HOSPITAL CLAIMING Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort. Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim. Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined. Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort. Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare). Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-067 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES Special education services monitoring needs more oversight to ensure that required corrective actions and certifications are obtained from local education agencies. Criteria: The State has established policies and procedures relating to its oversight of special education services claiming by local education agencies (LEAs). These policies and procedures are detailed in EOHHS’s Direct and Administrative Services Guidebooks for LEAs. The guidebooks, among several requirements, mandates a) the submission of a quality assurance Medicaid Action Plan (LEA policies and procedures to ensure claiming meets federal requirements) and b) the quarterly submission of the Certification of Funds letters in accordance with the EOHHS/LEA Interagency Provider Agreement which attests to the provision of State match requirements by the local education agencies. Condition: Our review of EOHHS’ monitoring of LEA special education services billed to Medicaid identified the following: • 1 LEA in our sample of 4 providers (out of 42 providers) had not submitted the required Medicaid Action Plan until requested during our audit, and • EOHHS could not provide documentation of quarterly Certification of Funds letters submitted from all 4 providers sampled. While our testing found that EOHHS’ monitoring was substantially being performed during fiscal 2023, documentation of certain compliance areas was lacking. Since other monitoring procedures were found to be in place for the providers reviewed, we did not consider claiming reimbursed to these providers to represent noncompliance with federal regulations. Cause: Monitoring special education services was impacted by staff turnover during fiscal 2023 and oversight by EOHHS did not detect the noncompliance with departmental policies and procedures. Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-067 Enhance oversight of special education services by LEAs to ensure compliance with adopted policies and procedures. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-054 (significant deficiency – repeat finding – 2022-040) TEMPORARY ASSISTANCE FOR NEEDY FAMILIES – 93.558 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RITANF and G2301RITANF Administered by: Rhode Island Department of Human Services (DHS) CCDF CLUSTER – 93.575, 93.596 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS), Administration for Children and Families Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: G2201RICCDF and G2301RICCDF Administered by: Rhode Island Department of Human Services (DHS) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – ADP Risk Analysis and System Security Review COMPREHENSIVE DEPARTMENTAL AUTOMATED DATA PROCESSING (ADP) RISK ANALYSIS AND SYSTEM SECURITY PROGRAM See related Financial Statement Finding 2023-016. The State continued to enhance systems security oversight over systems used to administer multiple federally funded programs. Certain internal control deficiencies should be addressed to improve the State’s monitoring of information systems security over RIBridges and the Medicaid Management Information System (MMIS). Criteria: Federal regulation 45 CFR §95.621 requires State agencies to review the ADP system security of installations used in the administration of HHS programs on a biennial basis or when a significant change to the security or system(s) occurs. At a minimum, State agencies must establish and maintain an ADP security plan and implement a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. EOHHS and DHS are charged with managing and securing ADP systems, which administer various federal HHS and State programs (e.g., Medicaid, TANF, etc.). These programs had eligibility, benefit determinations, and payments processed mainly by two systems – MMIS and RIBridges. State agencies (EOHHS, DHS, and the Department of Administration’s Division of Enterprise Technology Strategy and Services – ETSS) were required to determine appropriate ADP security requirements based upon recognized industry standards for each system, optimally within a comprehensive plan. Condition: The State continued to enhance its systems security oversight of the MMIS and RIBridges systems to ensure compliance with federal regulations for ADP risk analysis and system security reviews. The following internal control deficiencies were noted during our audit and should be addressed to further improve the State’s monitoring of information systems security over the RIBridges and MMIS systems. MMIS – EOHHS oversees the IT security requirements of the MMIS. EOHHS largely utilizes independent service organization control (SOC) reports to meet their security and risk monitoring activities for the MMIS. However, the ADP system security plan should be improved by ensuring that the coverage provided by the SOC reports is supplemented with other documented monitoring procedures (e.g., frequent monitoring of system access, timely removal of system access upon user termination, and improved documentation of user entity controls). The SOC report identifies several complementary user entity controls that EOHHS is responsible for implementing and ensuring that they are operating effectively. Examples of areas in need of improvement include the reliability and consistency of data transmitted from RIBridges to the MMIS, and improved monitoring of system access by the MMIS system contractor. RIBridges – The State now relies on several contractor/external party reviews to monitor IT system security over the RIBridges system. These include the following: • Attestation reports relating to the RIBridges contractor, Deloitte Consulting, and Deloitte’s subcontractor (NTT Data) that has been delegated certain IT security functions over the system (contracted to be biennial); • MARS-E (Minimum Acceptable Risk Standards for Exchanges) evaluations applicable to Health Insurance Exchanges required by federal regulations – these reviews are performed annually with the audit scope rotating over a three-year period; • Internal Revenue Service Safeguard Reviews – IT security reviews over State systems and applications that utilize federal tax information; and • Independent Verification & Validation (IV&V) monitoring services which the State has incorporated certain IT security monitoring functions (e.g., vulnerability scanning and analysis, participating in regular IT security meetings). In fiscal 2023, the attestation reports only covered a three-month period to evaluate controls over key IT security areas. The short audit period did not allow all controls to be evaluated during the audit period as some were not required to be performed. Going forward, the State will need to consider and document how its expected audit coverage will be coordinated with the RIBridges risk assessment to ensure that critical risk areas are included in reviews planned for that period (since attestation engagements are not contractually required annually). Additional scope may be required within the MARS-E evaluation in years where attestation reports of the contractor and subcontractors responsible for IT security requirements within RIBridges are unavailable. Such formalized annual audit/review plans, in addition to improved documented consideration of the results of audit/review reports, will improve documentation of the State’s monitoring of IT security over RIBridges. Cause: Certain deficiencies in the State’s current IT security practices relating to ADP Risk Analysis and System Security Review need improvement to enhance systems security. Effect: Certain collective deficiencies could undermine IT security over the RIBridges and MMIS systems. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-054a Improve monitoring of MMIS system access, removal of system access upon user termination, and consideration and documentation of user entity controls. 2023-054b Utilize risk assessment results annually to document how expected audit coverage will ensure that critical risk areas are included in the scope of work for assessments planned for that year. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-058 (other noncompliance / significant deficiency – new finding) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles INTERNAL CONTROLS OVER COST ALLOCATION Internal controls over administrative costs allocated to the Medical Assistance and CHIP programs need to be improved to ensure that costs allocated to the programs comply with federal regulations. Background: Administrative expenditures incurred by various State agencies involved in the administration of Medicaid and CHIP programs (e.g., EOHHS, Department of Behavioral Healthcare, Developmental Disabilities & Hospitals (BHDDH), Department of Children, Youth, & Families (DCYF)) are allocated to the programs through federally approved cost allocation systems. All administrative expenditures determined allowable for claiming to the programs are reported to EOHHS which claims the expenditures on federal reports. Agencies adjust administrative expenditures reported in the State accounting system periodically to align with the administrative costs determined through their respective cost allocation systems. Criteria: Management is responsible for implementing and maintaining internal controls to ensure administrative costs are charged in accordance with federal regulations. Condition: While all State agencies administering Medical Assistance and CHIP programs utilize federally approved cost allocation plans, internal controls are not sufficiently documented and monitored to ensure expenditures allocated to federal programs are accurate and in compliance with federal regulations. Recommended controls found to be specifically lacking included: • Documented reconciliations between costs allocated to federal programs and the State accounting system were lacking or untimely; • Most agency cost allocation systems are operated by one individual, thus supervisory review and monitoring of the process is lacking and not formalized; and • Most agencies do not conduct any monitoring to ensure that administrative expenditures being allocated to federal programs meet the requirements of federal Uniform Guidance. During our audit, certain findings were not identified in a timely manner due to the above control deficiencies: • EOHHS did not reconcile quarterly cost allocation results with the State accounting system in a timely manner; and • BHDDH’s adjustment of cost allocation resulted in significantly overstated federal expenditures in the State accounting system due to staff errors. While both findings impacted federal expenditures reported in the State’s Schedule of Expenditure of Federal Awards, the impact on federal expenditures claimed on the CMS-64 Report is not known and under review by both agencies. Cause: Deficiencies in internal control over administrative expenditure claiming to Medicaid and CHIP. Effect: Potential noncompliance with federal requirements relating to allowable costs. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-058 Improve internal controls over administrative claiming to federal programs, including documentation of policies and procedures and improved supervision and monitoring of the cost allocation process. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-059 (material noncompliance / material weakness – repeat finding – 2022-065) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Managed Care Financial Audit MANAGED CARE FINANCIAL AUDIT The State is not currently in compliance with federal requirements to obtain audited financial reports from its managed care organizations (MCO) in accordance with 42 CFR §438.3(m). Criteria: Federal regulations require States to comply with the following contract and program integrity safeguards when administering Medicaid managed care programs: • 42 CFR §438.3(m) Audited financial reports. “The contract must require MCOs, PIHPs, and PAHPs to submit audited financial reports specific to the Medicaid contract on an annual basis. The audit must be conducted in accordance with generally accepted accounting principles and generally accepted auditing standards.” • 42 CFR §438.602(e) Periodic audits. “The State must periodically, but no less frequently than once every 3 years, conduct, or contract for the conduct of, an independent audit of the accuracy, truthfulness, and completeness of the encounter and financial data submitted by, or on behalf of, each MCO, PIHP or PAHP.” Condition: Federal program integrity requirements requiring audits of MCO financial reports have not been implemented by the State. This requirement is effective for MCO contract periods on or after July 1, 2017 (fiscal 2018). While the State has included language for audit requirements within recent MCO contracts, the financial report audit requirement has not been complied with. The State continued to improve its compliance with these federal requirements during fiscal 2023 by contracting for its first study of encounter data validation. The encounter data validation study was designed to identify incomplete data, perform missing data quality checks, and assess the frequency and impact of late encounter data submissions. This study identified several areas where encounter data quality and consistency can be improved moving forward. The study of encounter data quality coupled with EOHHS’s internal efforts to reconcile submitted encounter data with the Financial Data Cost Reports (FDCR) submitted by the plans has significantly improved financial accountability within managed care. Cause: Failure to implement federal requirements for stated effective date. Effect: Material noncompliance with federal regulations relating to managed care financial audit requirements. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-059a Implement policies and procedures to comply with federal regulations for audits of MCO financial reports. 2023-059b Address deficiencies identified by the contracted encounter data study by ensuring corrective action is taken by the MCOs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-060 (other noncompliance / material weakness – repeat finding – 2022-066) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Special Tests and Provisions – Provider Eligibility MEDICAID MANAGED CARE ORGANIZATIONS – PROVIDER ELIGIBILITY Controls over the screening, enrollment, and revalidation of providers within the Medicaid program should be improved to ensure compliance with federal requirements relating to provider eligibility. Criteria: 42 CFR §455.410, Enrollment and screening of providers, requires: (a) The State Medicaid agency must require all enrolled providers to be screened under this subpart. (b) The State Medicaid agency must require all ordering or referring physicians or other professionals providing services under the State plan or under a waiver of the plan to be enrolled as participating providers. (c) The State Medicaid agency may rely on the results of the provider screening performed by any of the following: (1) Medicare contractors. (2) Medicaid agencies or Children's Health Insurance Programs of other States. (d) The State Medicaid agency must allow enrollment of all Medicare-enrolled providers and suppliers for purposes of processing claims to determine Medicare cost-sharing (as defined in section 1905(p)(3) of the Act) if the providers or suppliers meet all Federal Medicaid enrollment requirements, including, but not limited to, all applicable provisions of 42 CFR part 455, subparts B and E. This paragraph (d) applies even if the Medicare-enrolled provider or supplier is of a type not recognized by the State Medicaid Agency. 42 CFR §455.412, Verification of provider licenses, requires that the State Medicaid agency (SMA) must: (a) Have a method for verifying that any provider purporting to be licensed in accordance with the laws of any State is licensed by such State. (b) Confirm that the provider's license has not expired and that there are no current limitations on the provider's license. 42 CFR §455.436, Federal database checks, requires that the State Medicaid agency must do all of the following: (a) Confirm the identity and determine the exclusion status of providers and any person with an ownership or control interest or who is an agent or managing employee of the provider through routine checks of Federal databases. (b) Check the Social Security Administration's Death Master File, the National Plan and Provider Enumeration System (NPPES), the List of Excluded Individuals/Entities (LEIE), the Excluded Parties List System (EPLS), and any such other databases as the Secretary may prescribe. (c) (1) Consult appropriate databases to confirm identity upon enrollment and reenrollment; and (2) Check the LEIE and EPLS no less frequently than monthly. Condition: The State made substantial progress in ensuring compliance with federal requirements relating to the screening, enrollment, and revalidation requirements for providers of managed care organizations during fiscal 2023. While materially complying with these federal requirements, our audit noted the following control deficiencies relating to provider eligibility that need to be addressed: • Licensing for providers of behavioral healthcare services and home and community-based services to members with developmental disabilities are, by statute, the responsibility of the Department of Behavioral Healthcare, Developmental Disabilities, and Hospitals (BHDDH). BHDDH, in conjunction with evaluations of provider health and safety standards, relicenses providers biennially. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from BHDDH resulting in a weakness in control for this segment of providers. • Licensing for providers of residential services (inclusive of psychiatric services) to children in the State’s custody is, by statute, the responsibility of the Department of Children, Youth, and Families (DCYF). DCYF, in conjunction with evaluations of provider health and safety standards, relicenses providers annually. Inconsistent with most Medicaid providers, EOHHS, as the Medicaid agency, does not receive annual license data from DCYF resulting in a weakness in control for this segment of providers. • We tested a random sample of 120 providers (both fee-for-service and managed care providers) to ensure that providers were properly enrolled in accordance with federal regulations. We identified 5 managed care providers that were not enrolled in accordance with federal regulations (questioned costs - $54,043). • Encounter data submitted by managed care organizations is not currently validated for provider enrollment upon acceptance. Implementing this additional edit when processing encounter data would improve controls over compliance. • For claims representing care furnished to a beneficiary by an out-of-state furnishing provider, the SMA may pay a claim to a furnishing provider that is not enrolled in the reimbursing state’s Medicaid plan, in limited circumstances. In these circumstances, the State is required to meet several requirements including verification that the provider is enrolled in good standing in Medicare or another state’s Medicaid program. The State is not currently performing such validation for out-of-State providers with limited claiming activity. • Federal regulations require States to check federal databases for providers excluded from participating in federal programs monthly as part of provider eligibility requirements. While the State currently checks for exclusion upon initial enrollment, re-enrollment, or if other provider organizational changes are reported, the State does not perform monthly checks. Cause: Weaknesses in internal controls over provider eligibility that collectively undermine compliance with federal regulations. Effect: Potential noncompliance with federal regulations relating to eligibility of providers in managed care networks. Questioned Costs: $54,043 Valid Statistical Sampling: Yes RECOMMENDATION 2023-060 Enhance internal controls over provider eligibility by addressing deficiencies cited that collectively undermine compliance with federal regulations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-061 (material weakness – repeat finding – 2022-067) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirements: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER MANAGED CARE CAPITATION PAYMENTS AND CONTRACT SETTLEMENTS See related Financial Statement Finding 2023-005. Capitation payments to managed care organizations (MCOs) represent approximately 65% of Medicaid benefit expenditures. EOHHS needs to improve controls over managed care financial activity to ensure compliance with allowable cost principles for related program expenditures. Background: Medicaid expenditures for members enrolled in managed care during fiscal 2023 approximated $2.2 billion (monthly capitation payments paid to participating MCOs). This comprised managed care coverage for 321,662 Medicaid eligible members - approximately 86% of total Medicaid enrollees at June 30, 2023. These capitation payments related to the following managed care programs within the State’s Medicaid program: [See Schedule of Findings and Questioned Costs for table.] Each of these programs has different population eligibility characteristics, capitation rate structures, and covered in-plan services. However, these programs operate under similar contract structures for purposes of financial settlement with Medicaid. Recognizing the significance of managed care services within the Medicaid program and the need to strengthen fiscal integrity and accountability controls over these services, the Centers for Medicare & Medicaid Services (CMS) overhauled managed care regulations in fiscal 2020. The revised regulations are designed to strengthen fiscal transparency and integrity of managed care services provided in the Medicaid and CHIP programs. Since managed care services provided within the RI Medicaid and CHIP programs involve complex rate setting and contract settlement provisions, the reliability and completeness of the mandated data provided by managed care organizations to the State is vital to fiscal integrity and accountability controls. Criteria: As allowed under federal regulations, the State administers its managed care programs through contracts with MCOs which share the risk regarding financial gain or loss derived from the final contract settlements for the fiscal year. Contract settlements represent significant financial transactions within the Medicaid and CHIP programs and are subject to the provisions of 2 CFR Part 200 (Uniform Guidance). In conjunction with Uniform Guidance requirements, management is responsible for maintaining internal controls that ensure the allowability of federal costs. For benefit costs associated with managed care, the accuracy of contract settlements requires that costs be documented (by submitted encounter data) and in compliance with contractual requirements (e.g., allowable services, net of credits or reimbursements). Condition: The following findings document control deficiencies and noncompliance with federal requirements which contribute to weakened controls over the allowability of managed care expenditures within Medicaid and CHIP: • Finding 2023-005, Medicaid Program Complexity Affects Financial Reporting and Overall Program Controls – Highlights the need for system improvements to allow better financial accountability for managed care premiums and to enhance the processing of encounter data in support of the managed care contract settlement process. • Finding 2023-059, Managed Care Financial Audit – CMS inclusion of managed care financial audit requirements relating to managed care were designed to improve controls over financial activity and the underlying data reported by managed care organizations which become the basis for contract settlements with the Medicaid and CHIP programs. The State’s noncompliance with these federal requirements results in weakened controls over the administration of managed care activity. Addressing the above findings will improve (1) final contract settlements with the MCOs and (2) the reliability of data utilized in developing prospective capitation rates. In addition to the reliability of the data provided by managed care organizations to the State, ensuring that reported medical expenditures are supported by valid encounter data is an important control over the contract settlement process. In conjunction with our review of fiscal 2022 managed care contract settlements completed after the one-year claim runout period, we reviewed the percentage of reported managed care expenditures by plan versus submitted encounter data by plan. The following table provides context regarding the amount of medical expenditures that were not supported by submitted encounter data in fiscal 2022 contract settlements. [See Schedule of Findings and Questioned Costs for table.] Managed care contract settlements, in addition to ensuring that reported medical expenditures are complete and accurate, are highly dependent on reported capitation paid to managed care organizations. During our audit, we noted several areas where controls over capitation can be enhanced by improving controls that ensure timely termination of managed care enrollment when members pass away or relocate out of State. The current Medicaid Management Information System (MMIS) is over two decades old and was programmed as a medical claims processing system. The system was not programmed with the functionality needed to process capitation adjustments and edit encounter data sufficiently for managed care activity, which represents the majority of Medicaid benefit expenditures. Cause: Control deficiencies exist relating to final contract settlements with managed care organizations (MCOs) and managed care capitation payments. Effect: Potential for inaccurate reimbursements to MCOs for contract services provided to Medicaid enrollees. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-061 Improve controls over compliance requirements for the allowability of federal expenditures by addressing internal control deficiencies (including system limitations for managed care capitation adjustments and editing encounter data) that specifically impacts financial settlements with managed care organizations. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-062 (significant deficiency – repeat finding – 2022-068) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Award Agency: Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Reporting FEDERAL REPORTING Controls should be improved over the quarterly reporting of expenditures for the Medicaid and CHIP programs. Criteria: Federal regulations require that expenditures for federal programs be accurately reported on Form CMS-64. The RIFANS accounting system is the State’s official record of federal program expenditures, and therefore, should be the basis for federal reports. Forms CMS-64 and CMS-21 are required for the quarterly filing of benefit and administrative expenditures for the Medicaid and CHIP programs. Additionally, the CMS-425 Report is required quarterly to reflect the cumulative disbursement of program expenditures from authorized grant awards (by federal fiscal year) for the respective programs. Condition: Reviews of federal reports for fiscal 2023 noted the following reporting deficiencies: • Approximately $2.7 million in CHIP expenditures were claimed to Medicaid initially and determined retroactively to be CHIP eligible and reclassified on federal reports between the two federal programs. The untimely adjustment of expenditures between the Medicaid and CHIP programs results in timing differences and reporting adjustments that complicate the reconciliation of federal reports to RIFANS for both programs. • Reconciling administrative expenditures to the State accounting system was not performed consistently by the State’s other health and human service (HHS) agencies charging administrative expenditures to Medicaid. Various HHS agencies utilize six separate and distinct cost allocation plans to allocate administrative expenditures to Medicaid. The lack of a comprehensive administrative costs reconciliation between the CMS-64 Report and the State accounting system prevents quantifying differences between federal expenditures claimed in federal reports and amounts reported in the State’s Schedule of Expenditures of Federal Awards. • Nursing facility taxes and hospital licensing fees were reported quarterly in accordance with CMS 64 Report requirements. However, EOHHS needs to consider whether other healthcare-related taxes meet the requirements for reporting on the CMS-64 Report to ensure the completeness of reports filed. The OAG specifically inquired regarding premium taxes that are factored into Medicaid managed care rates to determine if that health insurer tax should also be reported on the CMS-64 Report. Cause: Untimely adjustments of expenditures between the Medicaid and CHIP programs weaken controls over federal reporting for both programs. Lack of complete reconciliation of Medicaid administrative expenditures to the State accounting system represents a weakness in internal control over federal reporting. Procedures to ensure the consistent and complete reporting of healthcare-related taxes and fees on the CMS 64 Report are lacking. Effect: Increased risk of inaccurate federal reporting. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-062a Eliminate untimely expenditure adjustments between Medicaid and CHIP by addressing RIBridges programming deficiencies which prevent CHIP eligibility from being completely determined and coded through the State’s integrated eligibility system. 2023-062b Require all HHS agencies to submit reconciliations of their quarterly administrative claiming (as determined through approved cost allocation methodologies) to reported expenditures in RIFANS on a quarterly basis. 2023-062c Conduct an analysis of healthcare-related fees and taxes levied by the State to determine if other healthcare-related taxes require reporting in the CMS-64 Report. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-063 (significant deficiency – repeat finding – 2022-069) CHILDREN’S HEALTH INSURANCE PROGRAM – 93.767 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5021 and 2305RI5021 Administered by: Executive Office of Health and Human Services (EOHHS) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER THIRD-PARTY LIABILITY (TPL) IDENTIFICATION FOR MEMBERS COVERED UNDER MANAGED CARE The State should improve controls relating to the identification of third-party insurance coverage to ensure that, when appropriate, Medicaid is the payer of last resort by (a) ensuring that TPL reported in the MMIS is accurate and up to date, and (b) ensuring that managed care organizations (MCOs) are effectively identifying TPL insurance coverage for Medicaid recipients and cost avoiding for claims covered by other insurance. Background: The State utilizes a vendor in conjunction with its MMIS operations to identify TPL coverage for Medicaid (and CHIP) eligible members. For members enrolled in managed care, the managed care organizations (MCOs) are responsible for identifying TPL coverage. By contract, MCOs must notify the State of identified TPL within 5 business days of discovery. In response to prior year reporting of this issue, the State began more actively sharing identified TPL information with the MCOs. Criteria: 42 CFR §433.138 requires that States (as defined in their approved State Plan) must take reasonable measures to determine the legal liability of the third parties responsible for paying for services furnished under the State Plan. Federal regulations indicate the minimum required measures that the State must include in their State Plan. Rhode Island’s State Plan TPL procedures are largely focused on TPL identification processes for fee-for-service claiming within the Medicaid program. The State’s contracts with MCOs include requirements for the identification and reporting of TPL for covered members. With most Medicaid beneficiaries enrolled in managed care, ensuring the completeness and effectiveness of TPL identification by the MCOs is important to ensure compliance with federal regulations. Actual claims paid by the MCOs become the basis for final contract settlements; therefore, failure to identify other responsible insurance (TPL) prevents timely cost avoidance during claims processing and increases overall contract costs for the Medicaid program. Condition: During fiscal 2023, we performed certain analytical procedures on MCO encounter data to identify instances where Medicaid recipients (members with Medicaid eligibility for the entire year) had verified TPL coverage that was consistent with their Medicaid managed care coverage to determine the extent to which MCOs were paying for claims that could be cost avoided. We selected a random sample of encounter claims where the State reported verified TPL coverage (positive) and a random sample of encounter claims where the State did not report verified TPL coverage (negative). We confirmed a sample of positive and negative sample items with the MCOs to evaluate the percentage of State verified TPL that the MCOs had successfully identified. Our test results for fiscal 2023 showed notable improvement from prior years. While one MCO reported 100% accuracy in their sample results, two MCOs each reported a 15% error rate (missing TPL coverage for 3 out of 20 members included in our sample). Our continued analysis of federal requirements for TPL identification and cost avoidance in fiscal 2023, while showing significant improvement, supports the need for continued monitoring and validation procedures by EOHHS. EOHHS should continue to obtain a validated TPL insurance coverage file for Medicaid members annually and share validated TPL coverage with the MCOs. EOHHS should also request Medicaid member TPL coverage from the MCOs annually to validate that the MCOs are utilizing the data provided by the State. Cause: Insufficient monitoring of TPL identification and cost avoidance by managed care organizations to ensure compliance with federal regulations. Effect: Possible noncompliance with federal regulations requiring cost avoidance or recovery of costs when third-party liability coverage is available. Overpayment of capitation and MCO contract settlement costs. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-063 Share and match identified TPL coverage with the MCOs annually. Periodic matching with MCO enrollment files would ensure that TPL coverage is consistently being applied throughout the Medicaid and CHIP programs. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-064 (other noncompliance / material weakness – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Eligibility CONTROLS OVER MEDICAID ELIGIBILITY Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Background: RIBridges, the State’s computer system used to manage multiple federally funded human service programs, determines eligibility for Medicaid. The COVID-19 public health emergency (PHE), which continued until May 2023, restricted States from modifying recipient eligibility during the PHE, except for certain circumstances (i.e., death, relocation out of State, voluntary member withdrawal). Criteria: Medicaid eligibility requirements are detailed in the State Plan (Section 1115 Global Waiver). 42 CFR sections 435.940 through 435.960, which detail income and eligibility verification requirements for Medicaid, require State-administered public assistance programs to establish procedures for obtaining, using, and verifying information relevant to determinations as to eligibility and the amount of assistance. Section 1902(a)(4) of the Act allows the HHS Secretary to prescribe methods of administration found necessary for the proper and efficient operation of a State’s Medicaid plan. 42 CFR §435.916 requires the periodic renewal of recipient Medicaid eligibility. The 12-month renewal period mandated for MAGI-eligible recipients pertains to the majority of Medicaid and CHIP recipients in Rhode Island. Condition: For fiscal 2023, we tested a sample of 60 Medicaid eligible members (capitation payments totaling $240,129, federal share - $172,893, for the members tested) claimed for compliance with program eligibility. Total capitation payments claimed to Medicaid totaled $1.8 billion (federal share - $1.3 billion) during fiscal 2023. Both systemic and operational deficiencies were noted during our testing resulting in noncompliance with eligibility requirements for the Medicaid program, specifically: • Inconsistencies with the operation of the State Wage Information Collection Agency (SWICA) interface were noted in 2 out of 60 cases (questioned costs - $2,007). Eligibility determinations in these cases were post-PHE and actual reported SWICA income would have made the members ineligible for Medicaid. • A member was determined ineligible in RIBridges beginning 11/1/2019 (pre-PHE) but has remained continuously eligible on Medicaid (questioned costs - $5,443). • Documentation supporting income (e.g., electronic SWICA validation or applicant submitted documentation (i.e., paystubs)) was lacking in 4 out of 60 cases. Since we were able to perform alternative procedures to validate reported income to SWICA data provided by the Department of Labor and Training, these cases were not deemed to be noncompliance as reported household income would have made these members eligible for Medicaid. As noted above, eligibility was determined to be incorrect or unsupported in 3 of 60 sample members tested (5% error rate). Total questioned costs identified during our testing were $7,450. In addition to noncompliance reported above, the State continued to claim Medicaid Expansion enhanced reimbursement (90% FMAP (Federal Medical Assistance Percentage)) for certain members older than 65 during fiscal 2023. While PHE requirements allowed members to remain eligible on Medicaid, states needed to redetermine eligibility for these members upon reaching age 65 to see if they were eligible for a different Medicaid eligibility category. In conjunction with our Medicaid eligibility testing, we tested a random sample of 23 Medicaid Expansion members over the age of 65 for redetermination by the State. Our testing found that 11 out of the 23 members tested turned age 65 prior to the PHE period beginning in March 2020, thus enhanced federal reimbursement should have ended upon turning age 65 (questioned costs - $79,946). Since redetermination was not performed, we could not determine if the individual would have remained qualified for Medicaid. Our analysis identified 158 members based on date of birth that should have aged out of Medicaid expansion prior to the start of the PHE. During our audit, utilizing the U.S. Department of Treasury’s “Do Not Pay” service, we evaluated the Medicaid enrollment file as of June 30, 2023 to determine the State’s timeliness of terminating eligibility for deceased members. The “Do Not Pay” service compared the Medicaid enrollment file to the Social Security Administration (SSA) Death Master File to determine if currently enrolled members were reported deceased to the SSA. This analysis identified 3,298 deceased members still active on Medicaid at June 30, 2023. The period by which the members remained active on Medicaid after reported death, the number of members, and the amount of capitation paid in fiscal 2023 subsequent to the month of death is summarized as follows: [See Schedule of Findings and Questioned Costs for table.] Controls to ensure timely termination of Medicaid enrollment upon death still appear lacking to prevent capitation payments from being made for deceased members. While capitation can be recouped once identified, the length that payments are continuing is significant and could span managed care contract settlement periods. Under federal regulations, capitation payments for deceased members would be considered an ineligible payment of federal funds. While we noted instances where RI Medicaid was recouping capitation once death was recorded in the MMIS for certain cases, the length of time that managed care capitation was continuing is indicative that system controls were not effective in terminating coverage in a timely manner. A detailed review of some of these cases noted that RIBridges was aware of the date of death, but eligibility was still active or pending closure. In many cases, the date of death reporting was not communicating to the MMIS resulting in continued capitation payments. The amounts included above had active eligibility at June 30, 2023 and capitation had not been recouped during fiscal 2023. Of the 3,298 members identified as deceased, 521 had reported dates of death older than two years. Based on our June 30, 2023 evaluation, estimated questioned costs for capitation payments made for deceased individuals totaled $5,125,758, pending recoupment of capitation payments to managed care organizations and the transportation provider. In conjunction with audit work performed during fiscal 2023 to evaluate the effectiveness of systemic processes in RIBridges designed to identify Medicaid/CHIP members no longer residing in the State, we determined that the system functionality to follow-up on Public Assistance Reporting Information System (PARIS) notifications was not operating as designed. PARIS notifies States when a member has begun receiving benefits in another state or territory. The State opted to pause the functionality due to a lack of operational capacity to adhere to CMS 9912 Final Rule which required the State to pursue additional reasonable measures during the PHE before terminating the individual’s enrollment. With systemic controls paused, controls over member residency during our audit period were ineffective. The amount of capitation paid for Medicaid members no longer residing in the State was not determinable for our audit period. Lastly, we identified some instances where non-qualified, non-citizen children that were eligible under a State coverage program titled “Cover All Kids” had been coded with Medicaid aid categories during certain periods within fiscal 2023. Our analysis found that the coding error likely impacted 373 cases within Medicaid during fiscal 2023. Since the duration of the coding error varied, ineligible costs could not be determined. Operational and control deficiencies during fiscal 2023 resulted in noncompliance with federal regulations relating to Medicaid eligibility. Cause: Noncompliance with Medicaid eligibility requirements was caused by specific programming deficiencies within RIBridges (e.g., failure to redetermine Medicaid Expansion members upon age 65, interface validations not operating as designed) or insufficient documentation supporting eligibility within the case record (e.g., lack of income documentation). Effect: Noncompliance with federal requirements relating to recipient eligibility for Medicaid. Questioned Costs: $5,213,154 Valid Statistical Sampling: Yes RECOMMENDATIONS 2023-064a Address and correct the RIBridges system deficiencies (e.g., SWICA interface, Medicaid Expansion age-out, Death reporting) which weaken controls and result in noncompliance with federal regulations regarding Medicaid eligibility. 2023-064b Enhance controls over the identification of deceased members and members that have relocated out-of-State to minimize ineligible benefit payments within the Medicaid program. 2023-064c Identify ineligible Medicaid costs and return to the federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-065 (other noncompliance / significant deficiency – repeat finding – 2022-073) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles SERVICES PROVIDED TO CHILDREN IN THE STATE’S CUSTODY BY THE DEPARTMENT OF CHILDREN, YOUTH, AND FAMILIES (DCYF) BILLED TO MEDICAID Certain psychiatric residential treatment facility (PRTF) services provided to children in the State’s custody were not charged to Medicaid in fiscal 2023 in accordance with the methodology approved in the State Plan. Controls over other services provided to children in the State’s custody would be improved if processed through the Medicaid Management Information System (MMIS). Background: EOHHS, the Single State Medicaid Agency, administers claiming to Medicaid from other health and human service State agencies (such as DCYF) through the execution of Interagency Service Agreements (ISAs). The ISA provides approval by the Single State Medicaid Agency that the proposed services are allowable and identifies requirements that the other agency must comply with to support the allowability of the claims to Medicaid. Services authorized by the ISAs should be claimed in accordance with approved State Plan requirements. PRTF services (which began in fiscal 2020) claimed by DCYF to Medicaid are an identified service within the ISA. The approval to claim these services based on an all-inclusive rate determined through a cost-based methodology was approved by the Centers for Medicare and Medicaid Services (CMS) in fiscal 2023. Criteria: Reimbursing providers in accordance with an approved State Plan methodology is a requirement for considering the allowability of federal expenditures. The Medicaid State Plan stipulates a cost reimbursement methodology for establishment of reimbursement rates for PRTF service providers. Condition: DCYF implemented psychiatric residential treatment facility (PRTF) services during fiscal 2020 to provide a current level of service to children in the State’s custody that was previously lacking. Previously, DCYF allocated claiming for all contracted youth placement providers to Medicaid based on a time study methodology (partial charging, previously based on underlying time study allocation for treatment and assessment component of service provided). PRTF placements were a change, in that certified and licensed facilities would be charged at 100% of the contracted per diem rate (set based on a cost reimbursement methodology) to Medicaid. Medicaid reimbursements have been made to DCYF since inception of PRTF services based on the new methodology (determined through provider budget submission). CMS approved a State Plan amendment for a cost reimbursement methodology during fiscal 2023. PRTF services during fiscal 2023 continued to be reimbursed through an unapproved methodology. DCYF was reimbursed approximately $5.4 million for PRTF services provided to children in the State’s custody during fiscal 2023. During our audit, we also noted that approximately $20 million in other services to children in the State’s custody (referred to as manual billings by DCYF) are being claimed to Medicaid through journal entries in the State Accounting System. Controls over these services would be greatly enhanced if these providers submitted claims directly to the MMIS for reimbursement. Allowing fee-for-service claiming to be reimbursed by Medicaid external to the MMIS significantly weakens program controls. Cause: Medicaid reimbursements of PRTF services to DCYF during fiscal 2023 were not based on the specific cost reimbursement methodology approved in the State plan. Control weaknesses exist when Medicaid claiming is not processed through the MMIS. Effect: Potential noncompliance with federal regulations for allowable costs/cost principles. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-065a Reprocess claims for PRTF services to ensure that the provider is reimbursed based on the allowable cost reimbursement methodology and return any ineligible amounts to the federal grantor. 2023-065b Ensure that allowable medical services provided by DCYF providers are billed directly to the MMIS and subject to all designed claims processing, recipient eligibility, and provider eligibility controls. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-066 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER STATE HOSPITAL CLAIMING Controls need to be improved to ensure that claims from the State Hospital are reimbursed by Medicaid as the payer of last resort. Criteria: Federal regulations require Medicaid to be the “payer of last resort.” This means that all third party insurance carriers, including Medicare and private health insurance carriers, must be billed before Medicaid processes the claim. Condition: Unlike similar providers that claim reimbursement to Medicaid, claims submitted by Eleanor Slater Hospital (ESH), a State-operated hospital, are not edited to ensure that ESH has sought reimbursement from Medicare before seeking reimbursement from Medicaid. Normal processing requires the provider to submit to Medicaid an “explanation of benefits” (EOB) from Medicare which shows that Medicare was billed and was not reimbursed or only partially reimbursed for the claim based on the individual’s remaining benefits. The amount of claims, if any, inappropriately reimbursed by Medicaid could not be determined. Cause: Controls over State Hospital claiming were inadequate to ensure compliance with federal regulations requiring Medicaid to be the payer of last resort. Effect: Ineligible reimbursements by Medicaid for Eleanor Slater Hospital claims for members with other insurance coverage (predominantly Medicare). Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-066 Ensure that claiming from Eleanor Slater Hospital is subject to edits for other insurance to ensure that Medicaid is the payer of last resort. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-067 (significant deficiency – new finding) MEDICAID CLUSTER – 93.775, 93.777, 93.778 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2022 and 2023 Federal Award Numbers: 2205RI5MAP and 2305RI5MAP Administered by: Executive Office of Health and Human Services (EOHHS) Compliance Requirement: Allowable Costs/Cost Principles CONTROLS OVER SPECIAL EDUCATION SERVICES PROVIDED BY LOCAL EDUCATION AGENCIES Special education services monitoring needs more oversight to ensure that required corrective actions and certifications are obtained from local education agencies. Criteria: The State has established policies and procedures relating to its oversight of special education services claiming by local education agencies (LEAs). These policies and procedures are detailed in EOHHS’s Direct and Administrative Services Guidebooks for LEAs. The guidebooks, among several requirements, mandates a) the submission of a quality assurance Medicaid Action Plan (LEA policies and procedures to ensure claiming meets federal requirements) and b) the quarterly submission of the Certification of Funds letters in accordance with the EOHHS/LEA Interagency Provider Agreement which attests to the provision of State match requirements by the local education agencies. Condition: Our review of EOHHS’ monitoring of LEA special education services billed to Medicaid identified the following: • 1 LEA in our sample of 4 providers (out of 42 providers) had not submitted the required Medicaid Action Plan until requested during our audit, and • EOHHS could not provide documentation of quarterly Certification of Funds letters submitted from all 4 providers sampled. While our testing found that EOHHS’ monitoring was substantially being performed during fiscal 2023, documentation of certain compliance areas was lacking. Since other monitoring procedures were found to be in place for the providers reviewed, we did not consider claiming reimbursed to these providers to represent noncompliance with federal regulations. Cause: Monitoring special education services was impacted by staff turnover during fiscal 2023 and oversight by EOHHS did not detect the noncompliance with departmental policies and procedures. Effect: Potential noncompliance with federal regulations regarding the allowability of special education services reimbursed by Medicaid. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATION 2023-067 Enhance oversight of special education services by LEAs to ensure compliance with adopted policies and procedures. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-068 (significant deficiency – repeat finding – 2022-075) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Reporting FEDERAL FINANCIAL REPORTS RIEMA lacks controls over federal reporting to ensure that submitted federal reports are accurate and supported by the State accounting system. Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records. Condition: For fiscal 2023, we noted variances between the amounts reported on each of the quarterly SF 425 reports and obligations reported in FEMA’s grants portal. In certain instances, the differences reported in cash receipts were due to immaterial timing differences. However, for one quarter, we noted a significant timing difference of over $4 million. Additionally, for the quarter ended June 30, 2023, we noted a cumulative difference of $315,429. While we found that RIEMA materially complied with federal reporting requirements, internal controls such as reconciling federal reports with the State accounting system were lacking to identify quarterly reporting errors. Cause: RIEMA did not have procedures in place to ensure that federal reports were consistent with underlying supporting documentation (i.e., State accounting system). Effect: Expenditures and cash receipts reported on the SF-425 were understated at year-end. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-068a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying records. 2023-068b Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2023, as necessary. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-030 (material noncompliance / material weakness – repeat finding – 2022-039 and 2022-060) EMERGENCY RENTAL ASSISTANCE PROGRAM – 21.023 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: ERAE0006 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) CORONAVIRUS STATE AND LOCAL FISCAL RECOVERY FUNDS – 21.027 Federal Awarding Agency: U.S. Department of the Treasury (TREAS) Federal Award Fiscal Years: 2021 to 2025 Federal Award Number: SLFRP0136 Administered by: Rhode Island Department of Administration, Pandemic Recovery Office (PRO) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Subrecipient Monitoring SUBRECIPIENT MONITORING The State has not implemented adequate subrecipient monitoring activities to ensure material compliance with federal regulations for several federal programs. Background: The State relies on grantee agencies to perform subrecipient monitoring, when required, and ensure compliance with federal regulations. There is no statewide monitoring of subrecipient activities to ensure compliance with federal regulations. Criteria: 2 CFR §200.332(d) “Requirements for pass-through entities” requires that all pass-through entities must “monitor the activities of the subrecipient as necessary to ensure that the subaward is used for authorized purposes, in compliance with Federal statutes, regulations, and the terms and conditions of the subaward; and that subaward performance goals are achieved.” That monitoring must include (1) reviewing financial and performance reports, (2) following-up and ensuring that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the Federal award provided to the subrecipient from the pass-through entity detected through audits, on-site reviews, and other means, (3) issuing a management decision for audit findings pertaining to the Federal award. 2 CFR §200.332(a)(1) requires pass-through entities to clearly identify certain Federal award identification information in the subaward (e.g., subrecipient unique entity identifier, Federal Award Identification Number, Assistance Listing number and title, et al.). Condition: For the federal programs cited above, State pass-through agencies did not perform subrecipient monitoring activities required by federal regulations. Our testing evaluated whether the grantee agency obtained and reviewed subrecipient financial and performance reports, i.e., Single Audit reports, when applicable, or performed other monitoring activities to comply with federal regulations. Based on test results, specific to agency review of Single Audit reports, the following programs were deemed to be in material noncompliance with subrecipient monitoring requirements: [See Schedule of Findings and Questioned Costs for tables.] In addition to the noncompliance related to review of subrecipient audit reports noted above, we identified the following deficiencies: • Emergency Rental Assistance Program and Coronavirus State and Local Fiscal Recovery Funds – The Pandemic Recovery Office (PRO) along with the Department of Housing, through a memorandum of understanding with PRO to administer portions of these programs, executed various subawards with local non-profit organizations. Procedures were in place to review and approve monthly invoice packages for adherence to program requirements and contract budgets, and consistency with key performance indicator data submitted by the subrecipients. However, no on-site monitoring was performed in fiscal 2023 and periodic meetings with subrecipients were not documented. • Epidemiology and Laboratory Capacity for Infectious Diseases – Subawards executed by the Department of Health did not adequately identify required Federal award identification information. Cause: The State did not conduct subrecipient monitoring activities required to materially comply with federal regulations. Effect: Noncompliance with federal compliance requirements by subrecipients could occur without being identified by the State in a timely manner. Questioned Costs: None Valid Statistical Sampling: Yes RECOMMENDATION 2023-030 Improve policies and procedures statewide to ensure compliance with federal regulations for subrecipient monitoring. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-050 (significant deficiency– repeat finding – 2022-052) EPIDEMIOLOGY AND LABORATORY CAPACITY FOR INFECTIOUS DISEASES (ELC) – 93.323 Federal Awarding Agency: U.S. Department of Health and Human Services (HHS) Federal Award Fiscal Years: 2019 to 2024 Federal Award Number: NU50CK000519 Administered by: Rhode Island Department of Health (RIDOH) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Activities Allowed or Unallowed; Allowable Costs/Cost Principles CONTROLS OVER PANDEMIC-RELATED EXPENDITURES ALLOCABLE TO MULTIPLE FUNDING SOURCES OR FEDERAL AWARDS The State had insufficient controls to ensure expenditures were not reimbursed from more than one funding source or award under federal programs with similar pandemic response related objectives. Reconciliation of accounting records to align program revenues with federal revenues received were not fully completed at fiscal year-end. Background: The State has received an unprecedented amount of federal assistance to respond to the effects of the global health pandemic. Included in this assistance were funds received from the FEMA Stafford Act Disaster Grants program and the Epidemiology and Laboratory Capacity for Infectious Diseases (ELC) program, among others. Certain costs were eligible for reimbursement under multiple programs and funding sources. Expenditures were often applied to one funding source and then subsequently adjusted to another funding source as federal guidelines changed and the end of the period of availability drew near for multiple awards. Due to the length of the pandemic, adjustments of program expenditures between federal programs or other funding sources overlapped fiscal years at times. Criteria: Expenditures may only be reimbursed from one funding source or federal award. Condition: Due to changing federal guidelines and the evolving State response to the pandemic, costs were sometimes charged to one funding source and then later moved to another funding source. When expenditures are reclassified or reallocated within the RIFANS accounting system, journal entries are used to move the aggregate dollar activity, however, the original transaction (expenditure/disbursement) remains in the account originally charged, offset by a credit. This process complicates the identification of the underlying expenditures reimbursed by the federal award and increases the risk that expenditures could be reimbursed from more than one federal award. During fiscal 2023, we noted the following adjustments to financial activity supporting the cited control deficiency: • Approximately $1.0 million in expenditures were adjusted from ELC to FEMA, and another $1.8 million from restricted funding sources to ELC. • Approximately $2.1 million was adjusted from various federal programs and non-federal accounts to FEMA’s Disaster Grants program and another $6.6 million from FEMA’s Disaster Grants program to various federal programs and other non-federal expenditure accounts. The State implemented a reconciliation process to account for, and adjust as necessary, federal program activity to align accounting records with actual final funding sources of the activities. Journal entries were processed in fiscal 2023 to adjust expenditures between federal and non-federal funding sources for prior and current year activity. While there was a significant decrease in the magnitude of the adjustments compared to prior years, reconciliations for all State agencies and departments were not fully completed at June 30, 2023. Cause: Due to the rapid response required during the pandemic, the existence of multiple federal funding sources, and continually evolving federal guidance, costs were moved and adjusted in the accounting system to various funding sources, which increased the risk that a cost could be reimbursed from more than one funding source or federal award. Effect: Potential duplicate reimbursement of expenditures from more than one funding source or federal award. Potential of charging costs for unallowable activities to federal programs as the expenditure detail is not maintained when expenditures are adjusted in the accounting system. Questioned Costs: Undetermined Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-050a Ensure reconciliations and any required adjustments are complete to demonstrate that eligible pandemic-related program costs were not reimbursed from more than one funding source. 2023-050b Determine whether any program costs were reimbursed by multiple fundings sources. Return any related funds to the appropriate federal grantor. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.

Finding 2023-068 (significant deficiency – repeat finding – 2022-075) DISASTER GRANTS – PUBLIC ASSISTANCE (PRESIDENTIALLY DECLARED DISASTERS) – 97.036 Federal Awarding Agency: U.S. Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA) Federal Award Fiscal Years: 2020 to 2023 Federal Award Number: FEMA-4505-DRRIP00000001 Administered by: Rhode Island Emergency Management Agency (RIEMA) Compliance Requirement: Reporting FEDERAL FINANCIAL REPORTS RIEMA lacks controls over federal reporting to ensure that submitted federal reports are accurate and supported by the State accounting system. Criteria: Consistent with Uniform Guidance requirements, the State is required to complete the SF 425, Federal Financial Report, quarterly for the grant on a cumulative cash basis. The FFR should be sufficiently supported by the State’s accounting records. Condition: For fiscal 2023, we noted variances between the amounts reported on each of the quarterly SF 425 reports and obligations reported in FEMA’s grants portal. In certain instances, the differences reported in cash receipts were due to immaterial timing differences. However, for one quarter, we noted a significant timing difference of over $4 million. Additionally, for the quarter ended June 30, 2023, we noted a cumulative difference of $315,429. While we found that RIEMA materially complied with federal reporting requirements, internal controls such as reconciling federal reports with the State accounting system were lacking to identify quarterly reporting errors. Cause: RIEMA did not have procedures in place to ensure that federal reports were consistent with underlying supporting documentation (i.e., State accounting system). Effect: Expenditures and cash receipts reported on the SF-425 were understated at year-end. Questioned Costs: None Valid Statistical Sampling: Not Applicable RECOMMENDATIONS 2023-068a Strengthen procedures for preparing federal financial reports to ensure that information reported is adequately supported and consistent with underlying records. 2023-068b Submit revised SF-425 to reflect corrected expenditures and drawdowns for fiscal 2023, as necessary. Auditee views: The auditee concurs with this finding – see Corrective Action Plan in Section E.