FAC Explorer

Audit 305992

FY End
2023-12-31
Total Expended
$1.02M
Findings
6
Programs
5
Organization: East River Legal Services Corporation (SD)
Year: 2023 Accepted: 2024-05-10
Auditor: Eide Bailly LLP

Organization Exclusion Status:

Findings

ID Ref Severity Repeat Requirement
396415 2023-002 Significant Deficiency - N
396416 2023-003 Significant Deficiency - E
396417 2023-004 Significant Deficiency - I
972857 2023-002 Significant Deficiency - N
972858 2023-003 Significant Deficiency - E
972859 2023-004 Significant Deficiency - I

Programs

ALN Program Spent Major Findings
09.U01 Basic Field Grant $585,331 Yes 3
16.575 Crime Victim Assistance $378,416 - 0
93.044 Special Programs for the Aging_title Iii, Part B_grants for Supportive Services and Senior Centers $49,257 - 0
09.U02 Rural Summer Legal Clerk $7,000 Yes 0
09.U03 Lsc Tech Improvement Grant $4,132 Yes 0

Contacts

Name Title Type
GLQWKLKHG117 Lea Wroblewski Auditee
6052756938 Joy Feige Auditor
No contacts on file

Notes to SEFA

Title: Basis of Presentation Accounting Policies: Expenditures reported in the schedule are reported on the accrual basis of accounting. When applicable, such expenditures are recognized following the cost principles contained in the Uniform Guidance, wherein certain types of expenditures are not allowable or are limited as to reimbursement. No federal financial assistance has been provided to a subrecipient. De Minimis Rate Used: N Rate Explanation: The Organization has not elected to use the 10% de minimis cost rate. The accompanying schedule of expenditures of federal awards (the schedule) includes the federal award activity of the Organization under programs of the federal government for the year ended December 31, 2023. The information is presented in accordance with the requirements of Title 2 U.S. Code of Federal Regulations Part 200, Uniform Administrative Requirements, Costs Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Because the schedule presents only a selected portion of the operations of the Organization, it is not intended to and does not present the financial position, changes in net assets, or cash flows of the Organization.

Finding Details

Finding 2023-002
Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Special Tests & Provisions – Accounting Requirements Significant Deficiency in Internal Control over Compliance Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self-insured. Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risk from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents. Policies and procedures must include the following requirements: • Perform (and document) an annual risk assessment • Resolve any risk findings or conclusions • Maintain physical access controls for servers and storage rooms • Develop and periodically test an emergency disaster prevention and recovery plan • Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy-to-use restoration options • Formally assign computer and data security responsibilities Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions. Risk assessment procedures will vary by recipient. However, at minimum, the process should: • Identify the physical and digital assets susceptible to cyberattacks • Identify risks to those assets (risks should be evaluated annually for changes) • Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact • Document the results of the risk assessment, including the development and implementation of appropriate controls Condition: The Organization did not perform an annual risk assessment during 2023 and did not test an emergency disaster prevention and recovery plan. Cause: Management believed they were complying with the compliance requirements as LSC provided specific IT security during the year and the Organization continued to make progress with their technology improvement plan put into place towards the end of 2022. Management was not fully aware of the extent of an annual risk assessment and the other IT matters specifically identified within the LSC Financial Guide. Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Year: No Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance. Views of Responsible Officials: Management is in agreement.
Finding 2023-003
Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Eligibility Significant Deficiency in Internal Control over Compliance Criteria: 45 CFR 1644.4 establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Condition: One instance where a case was improperly entered into Legal Server as no application was completed. Cause: There was not a full understanding of when a case would be considered an open case within Legal Server. Effect: Lack of compliance with designed internal controls over case files could result in the Organization using funds for cases that are not eligible for reimbursement. Questioned Costs: None reported. Context/Sampling: A nonstatistical sample of 62 cases out of more than 250 cases opened during 2023 were selected for eligibility testing. Repeat Finding from Prior Year: No Recommendation: We recommend management review the internal control process to ensure cases are entered within Legal Server when the case is considered an open case. Views of Responsible Officials: Management is in agreement.
Finding 2023-004
Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Procurement Significant Deficiency in Internal Control over Compliance Criteria: 45 CFR 1631 requires that a non-Federal entity must use its own documented procurement procedures which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal law. Condition: Our testing detected one instance in which the transaction exceeded the Organization’s micro and small purchase threshold of $25,000, requiring rate quotes and a written evaluation why the vendor was chosen, however, this was not completed. Cause: There was a lapse in oversight of the internal control process ensuring rate quotes are obtained and written evaluation was completed, detailing the Organization’s considerations over the procurement process. Effect: Without obtaining rate quotes and completing a written evaluation detailing the history of procurement, demonstrating the program complies with laws, regulations, and other compliance requirements is difficult. Questioned Costs: None reported based on assessment of comparative pricing readily available. Context/Sampling: A nonstatistical sample of 60 disbursements out of more than 250 disbursements were selected for testing. Out of the 60 disbursements, one item exceeded the Organization’s micro and small purchase threshold. Repeat Finding from Prior Year: No. Recommendation: We recommend management review the internal control process to ensure procurement considerations are documented and retained. Views of Responsible Officials: Management is in agreement.
Finding 2023-002
Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Special Tests & Provisions – Accounting Requirements Significant Deficiency in Internal Control over Compliance Criteria: Per Section 2.5.3 of the LSC Financial Guide, recipients are required to have written security policies and procedures for physical and digital assets including all financial data and records in any form (e.g., electronic data processing (EDP) and cybersecurity policies and procedures). These policies and practices should be part of an overall data and records security policy and an annual overall risk assessment process. LSC recommends obtaining guidance from qualified experts in data and records security, including cybersecurity. LSC also recommends including in the risk assessment process consideration of appropriate insurance policies or determining if the recipient is sufficiently self-insured. Recipients must establish physical, administrative, technical, and virtual/remote access controls and other measures to safeguard physical and digital assets (e.g., office space, computers, information systems, sensitive information, and financial data/records), including modifications to assets and systems. The policies should specifically address cybersecurity and the risk from cyber incidents such as data breaches, business interruption, and network damage. Recipients should also consider what actions (including notification) to take in the event of such cyber incidents. Policies and procedures must include the following requirements: • Perform (and document) an annual risk assessment • Resolve any risk findings or conclusions • Maintain physical access controls for servers and storage rooms • Develop and periodically test an emergency disaster prevention and recovery plan • Perform regular back up of electronic records and systems stored offsite or in a virtual environment with easy-to-use restoration options • Formally assign computer and data security responsibilities Recipients should implement these policies and regularly check that they are followed. Recipients should evaluate these policies and update them as appropriate through an annual risk assessment process. These controls will vary with the type of software used, size of the organization, and the number of personnel involved in making, processing, and approving financial transactions. Risk assessment procedures will vary by recipient. However, at minimum, the process should: • Identify the physical and digital assets susceptible to cyberattacks • Identify risks to those assets (risks should be evaluated annually for changes) • Evaluate the risks (e.g., high, medium, or low) based on likelihood and impact • Document the results of the risk assessment, including the development and implementation of appropriate controls Condition: The Organization did not perform an annual risk assessment during 2023 and did not test an emergency disaster prevention and recovery plan. Cause: Management believed they were complying with the compliance requirements as LSC provided specific IT security during the year and the Organization continued to make progress with their technology improvement plan put into place towards the end of 2022. Management was not fully aware of the extent of an annual risk assessment and the other IT matters specifically identified within the LSC Financial Guide. Effect: Without completing a written evaluation detailing the identified risks and the resolution of any prior risk findings or conclusion, the Organization may be less prepared for a security incident. Questioned Costs: None reported. Context/Sampling: Sampling was not used. Repeat Finding from Prior Year: No Recommendation: We recommend management review the requirements of the 2023 LSC Financial Guide to ensure compliance. Views of Responsible Officials: Management is in agreement.
Finding 2023-003
Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Eligibility Significant Deficiency in Internal Control over Compliance Criteria: 45 CFR 1644.4 establishes that the auditee must establish and maintain effective internal control over the federal award that provides assurance that the entity is managing the federal award in compliance with federal statutes, regulations, and conditions of the federal award. Condition: One instance where a case was improperly entered into Legal Server as no application was completed. Cause: There was not a full understanding of when a case would be considered an open case within Legal Server. Effect: Lack of compliance with designed internal controls over case files could result in the Organization using funds for cases that are not eligible for reimbursement. Questioned Costs: None reported. Context/Sampling: A nonstatistical sample of 62 cases out of more than 250 cases opened during 2023 were selected for eligibility testing. Repeat Finding from Prior Year: No Recommendation: We recommend management review the internal control process to ensure cases are entered within Legal Server when the case is considered an open case. Views of Responsible Officials: Management is in agreement.
Finding 2023-004
Legal Services Corporation FFAL #09-542026 Legal Services Corporation – Basic Field Grant Procurement Significant Deficiency in Internal Control over Compliance Criteria: 45 CFR 1631 requires that a non-Federal entity must use its own documented procurement procedures which reflect applicable state and local laws and regulations, provided that the procurements conform to applicable federal law. Condition: Our testing detected one instance in which the transaction exceeded the Organization’s micro and small purchase threshold of $25,000, requiring rate quotes and a written evaluation why the vendor was chosen, however, this was not completed. Cause: There was a lapse in oversight of the internal control process ensuring rate quotes are obtained and written evaluation was completed, detailing the Organization’s considerations over the procurement process. Effect: Without obtaining rate quotes and completing a written evaluation detailing the history of procurement, demonstrating the program complies with laws, regulations, and other compliance requirements is difficult. Questioned Costs: None reported based on assessment of comparative pricing readily available. Context/Sampling: A nonstatistical sample of 60 disbursements out of more than 250 disbursements were selected for testing. Out of the 60 disbursements, one item exceeded the Organization’s micro and small purchase threshold. Repeat Finding from Prior Year: No. Recommendation: We recommend management review the internal control process to ensure procurement considerations are documented and retained. Views of Responsible Officials: Management is in agreement.